Egregor Ransomware – A Deep Dive Into Its Activities and Techniques

One of the most active ransomware groups, Egregor is part of the Sekhmet malware family that has been active since mid-September 2020. Like most other Ransomware groups, it targets organizations across the world. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and finally demanding ransom in exchange of decrypted documents.

Ransomware attacks have been on a steady rise for the past couple of years, and in 2020 alone we saw an uptick in the number of ransom attacks on companies worldwide. Even as we are in the middle of a pandemic and the world is already struggling with COVID-19, pharmaceutical companies are also becoming easy targets to ransomware. Cyber criminals often take advantage of fear and uncertainty during major critical world events by initiating cyberattacks in the form of social engineering campaigns.

Allegedly, 52 companies have been breached by the threat actor till today (as of October 30, 2020), from GEFCO group being among the first ones to the more recently affected organizations such as Crytek, Ubisoft, Foxtons Group, and Barnes & Noble.

Below is the list of companies whose data has been leaked by this Ransomware threat actor.

The screenshot below has been taken from the threat actor’s blog, showcasing 6945 visits to the GEFCO Group post till today (as of October 30, 2020).

Files of the Foxtons Group and NHK International were allegedly leaked on October 13, 2020. The image below showcases the files initially leaked by the threat actor.

Crytek is an independent video game developer based in Germany. On September 18, 2020, the company released the game ‘Crysis Remastered’ and Egregor has made claims to be in possession of the engine source codes.

The post about Ubisoft breach was published by the threat actor on October 17, 2020 with claims of being in possession of the source codes of the game ‘Watch Dogs: Legion’ even before the actual release of the game.

We have attached some of the screenshots of the leaked files of Ubisoft.

Most recently, the American bookseller Barnes & Noble was allegedly breached by the ransomware operator, and the corresponding blog post was published on October 20, 2020. Only 10% of the data has been leaked till today (as of October 30, 2020) in two parts.

This leak contains the two .hive files which is a set of the logical group of keys and values from the Windows registry. The other two .dit files are directory information tree used by Active Directory in a Microsoft-hosted environment.

On closer inspection we found that it is possible to compromise these files and gain access to the accounts listed along with the password hashes from the given active directory domain, and the registry hive file provides the system information that enables decryption of the .dit file.

We suspect that these leaked files are copied directly from one of the domain controllers (a server) or from the backup of the company’s IT infrastructure.

The research team at Cyble has uncovered the technical aspects of the ransomware along with Tactics, Techniques, and Procedures (TTPs) used by the threat actor.

Technical Analysis of the Ransomware:

In the course of our routine threat hunting, the Cyble Research team discovered the latest list of the Egregor Ransomware zip archive files in the wild on October 27, 2020. The file under analysis is a zip archived ransomware dynamic link library and compiled by Microsoft Visual C++ 8.0 as shown below.

The Egregor Ransomware family shares functionalities of other ransomware actors like Clop Ransomware. As per the intelligence analysis, the threat actor has a possible link to TinyMet Payload v0.2 which was used by Clop Ransomware as a precursor for the TA505 Post-Exploitation Operation. The malware hosting server has been traced back and identified to the server with IP 49.12.104[.]241 and located in Germany, as shown in the figure below.

The ransomware possesses multiple anti-analysis techniques such as code obfuscation and packed payloads. The below hex view indicates the encrypted data section of the payload file.

The payload also employs anti-debugging and evasion techniques by using windows APIs to make the research and detection of the malware difficult, as depicted below.

The payload file is a COM library with 3 export functions, as show in the image below.

Interestingly, the payload data can only be decrypted with the correct command line argument, signifying that the file cannot be analyzed manually or using a sandbox without the exact command line parameter. The command line parameter has been encrypted as shown in the disassembler view below.

During our analysis, we successfully extracted the command line argument to execute its payload. The following command is used to execute the payload.

“C:\Windows\System32\rundll32.exe” %path to file%\sm.dll,DllRegisterServerpassegregor10

Upon execution, the payload injects into iexplore.exe process and starts encrypting text files and documents of the victim machine. The process explorer highlights the read and write operation during the file encryption as shown below.

The payload file also checks for the Logmein event log in an attempt to encrypt files in remote machines or servers connected to the victim’s machine. The path to the log file is hard-coded in the payload file, as shown here.

The encrypted file names are appended with a string of random characters as the new extension {Regex for extension [a-zA-Z] {4,6}}. For example, it renames a file named “ProcessExplorer.zip” to “ProcessExplorer.zip.EYmA”, “ProcessMonitor.zip” to “ProcessMonitor.zip.TPBJK” and so on. Also, the threat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in the figure below.

As explained in the “RECOVER-FILES.txt” Ransom note, the threat actor locks computers and servers and downloads data. Victims are advised to contact Egregor’s developers within three days, and on failing to do so, their data stands to be published. The cyber criminals behind this ransomware can be contacted through the provided websites with live chat (one of the websites can be opened only with the Tor browser, and another one is accessible with all browsers).

Unfortunately, there are no third-party tools that can decrypt files encrypted by this threat actor considering that the user needs a private key from the hacker server to decrypt the files. The cyber criminals behind this ransomware are the only ones with the decryption software and key.

We have attached a screenshot of ransom-note with instructions on contacting the threat actor to retrieve their original data.

Conclusion:

The Egregor ransomware group is actively targeting different sectors like online games, retails, etc. and there might be a high chance of it switching its gears and focusing other sectors in the near future. Therefore, it is necessary for companies to increase their security measures and set up proactive protection techniques such as the periodic backing up of data and protecting data with strong encryption.

Cyble Research team is continuously monitoring in dark and deep web to collect any major data breaches as well as internet to harvest threat indicators/TTP’s of Emerging threats in the wild to ensure that targeted organizations are well informed and proactively protected.

MITRE ATT&CK Metrics:

 Spear phishing attachment or drive by downloadNative APIDLL Side-Loading1  Process Injection1MasqueradingSystem Time Discovery1  Archive Collected Data1  Encrypted Channel1
   DLL Side-Loading1  Virtualization/Sandbox Evasion2  Security Software Discovery2   Both Application and non-application Layer Protocol2  
    Process Injection1Virtualization/Sandbox Evasion2    
     File, folder and system information Discovery  

INDICATORS OF COMPROMISE (IOCS):

File Hash:

b81d2293b43decd5a401487da952deb32cbb53f118882b97b457a14c67029247

561092877e91f2741ed061cbe7a57d1af552b600c6654ccc588cb6bff7939152

c9d46c319ed01c183598f7b9a60b9bca34b2eea989f4659e9aa27c7a1bf8681c

9fffabede0ef679970666f04184340437cd70bc8fe870ee8174713ececf32398

072ab57f9db16d9fb92009c8e10b176bd4a2eff01c3bc6e190020cf5a0055505

b027467332243c8186e59f68ff7c43c9e212d9e5074fedf003febcfedad4381a

1a722cde21a4338b26bc37401ef963022d97cea141c985e6615a10287f8d02ff

f1ba626b8181bd1cd84f47f70838d9fa4d8117fac3bd07cbd73cb6f73b1297f8

49b3d9c3bd6b6a13f89f0e849d80531454cc5cd259cbb7c8a806c67cd403575e

410afc5daebd7b39410b046286b814bb5fb5f9139167cd310bc59cc4461d4083

e3ef50749f144bfd7f5d7d51aaa9e2332b706c4d8ac130fdc95f50662525f6e0

3dba9fbef8f8a42ecfa65022b8a3c54738d15ef67c666272078b58b3c9a0a414

5455d104e693445dce5567236f4e047617bae7f09d5ca8699a838c2d17d37fb3

7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18

386cf4e151bc7510c3333eb1a5c96ab1b7becd8cfb94bcb76e93458078daf66f

2d01c32d51e4bbb986255e402da4624a61b8ae960532fbb7bb0d3b0080cb9946

605c2047be7c4a17823ad1fa5c1f94fd105721fce3621dc9148cd3baf352938e

c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906

28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6

7222c8acc69a7598989c335d528b366f801a41b434cbf928c6aef01f8e54f57a

IP’s/Domains/URLs:

49.12.104[.]241

hxxp://49.12.104[.]241[:]81/78.bin

hxxp://49.12.104[.]241/sm.dll

hxxp://49.12.104[.]241:81/sm.dll

91.199.212[.]52

Crt.sectigo[.]com

Is it ok to pay ransom to the threat actor? The answer is a resounding ‘NO!’ because the payment of a ransom to cyber threat actors still comes with a degree of inherent risks such as data being leaked despite ransom payment, and this also increases the chances of the hacker attacking again and demanding ransom. However, despite these challenges involved, deploying solutions that neutralize the effects of data breaches is the need of the hour!

Here are a few ways to prevent cyber-attacks:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download media from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Keep passwords unique and unpredictable
  • Keep Software and Systems up to date
  • Train employees on Cyber Security
  • Set up Firewall for your internet
  • Secure your Wi-Fi
  • Protect files with a password.
  • Take a Cyber Security assessment
  • Update passwords regularly

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.    

Leave a Comment

Your email address will not be published.

%d bloggers like this: