Egregor: The Ghost of Soviet Bears Past Haunts On
By Adam Brown and Harold Rodriguez, Arete Cyber Threat Intelligence Team
Ransomware variants come. Ransomware variants go. And while Egregor may have only recently surfaced, it is by no means a fly-by-night operation. In fact, one could argue that the foundation upon which Egregor operates has been around since Stalin and Beria’s secret police, and it is been lurking, watching, waiting for the right time to strike.
As a mature and exclusive Ransomware-as-a-Service (RaaS) platform, Egregor poses a serious threat to both public and private organizations. Not only is it supported by seasoned cybercriminal software developers, but it also caters to experienced affiliates who effectively target and compromise organizations, executing enterprise-wide deployment to maximize the monetization of their efforts.
In particular, Egregor plagues the manufacturing and retail sectors, with recent targets including well-known brands like Kmart, TransLink, Embraer, Randstad, Barnes & Noble, and Ubisoft. While the ransomware impacted more than 100 organizations across France, Italy, Germany, the U.K., Asia-Pacific, the Middle East, and Latin America in the final quarter of 2020, U.S. organizations remained top targets, accounting for roughly 50 percent of attacks in that timeframe.
Given the observed consistency of broad, opportunistic targeting, an attack is more a matter of when for organizations that remain unprepared.
Statistical data on Egregor ransomware from Arete metrics
The information listed below is based on Egregor cases investigated by Arete IR since October 2020. Our IR and Data Analytics practices work together to track key data points for every ransomware engagement. Our IR practice tracks data points on the ransomware variant and collects statistics based on handled engagements:
- Sectors of clients affected by this threat:
Healthcare | Finance | Professional Services | Manufacturing | Public Service
- Malware precursor: Qbot and IcedID
- Average ransom demand: $3,407,119
- Highest ransom paid: $1,000,000
- Lowest ransom paid: $100,000
- Average business downtime: 12 days
- Data exfiltration has been observed in 99 percent of the cases. In one outlier case, where there was no data exfiltration, Arete assisted the client with data restoration.
From whence the brazen Egregor came
Egregor is a label inspired by the occult, signifying the collective “energy” or “force” of a group of individuals — perhaps befitting an affiliate-serving RaaS platform. It was first publicly identified as early as September 2020, closely following the alleged cessation of Maze ransomware operations the month prior. Both ransomware platforms evolved from the Sehkmet ransomware family, and code analysis of each has provided high-confidence indications that Egregor ransomware is most likely a successor to Maze, whose developers and operators have not ceased operations but merely “re-branded.”
Egregor developers and operator affiliates are likely Russian and/or Eastern European cybercriminals. Security researchers have noted observations of deployment script comments in Russian, and Egregor performs language checks in similar sequence and fashion to its predecessor Maze; it will not execute on systems with a regional designator for Russia or Commonwealth of Independent States (CIS) signatories.
The affiliates operating Egregor are also infamous for their brazen intimidation — for example, allegedly printing ransom demands from victim network printers — and hardline negotiating, executing on the ultimatum that they will leak victim data within 72 hours if they do not receive a response following the encryption of victims’ systems. In many cases, they will leak the entirety of the data they exfiltrate.
Egregor high-level technical overview
While tactics, techniques, and procedures (TTPs) may vary amongst operators, it’s important to note that Egregor caters to semi-exclusive affiliates, likely of Russian or Eastern European origin.
The broader research community has observed consistent commonalities between Egregor and ProLock intrusion cycles. Given their similarities in TTPs, supported by multiple open-source confirmations of our own observations, we assess with high confidence that Qakbot operators have likely transitioned from ProLock to Egregor.
Egregor operators are known to exploit vulnerable and internet-accessible RDP gateways and phish victims with targeted, convincing lures. They also commonly deploy Egregor through Qakbot (Qbot), Ursnif (Gozi/ISFB), IcedID (Bakbot) infostealer/loader hybrid Trojan malware. Cobalt Strike has also been used to deliver Egregor in select instances.
The Egregor payload was likely designed to be portable, serving various affiliate tools, and is commonly encountered as a PE in dynamic linked library (DLL) form. Open-source Intelligence (OSINT) indicates that the DLL contains code and data, natively supporting multiple bot loader functions. The payload will not be decrypted and loaded without the proper key phrase provided to the DLL in the command line.
Egregor operators perform several evasive maneuvers during to the intrusion cycle, including disabling antivirus and endpoint protection (e.g., Windows Defender) via automated scripts (e.g., PowerShell+WMI) executed under elevated privileges.
OSINT reporting reveals that operators have uploaded batch files to victim system that, when executed, will take advantage of the BITSAdmin (bitsadmin.exe) utility to download the ransomware from a remote server and automatically execute it in the system.
The malware supports the following command-line arguments:
–fast: targets files within a size-limit range for encryption
–full: full encryption of the host (including mapped/mounted network drives)
–multiproc: multi-threading for speed
–nomimikatz: switch off Mimikatz module; Mimikatz is an open-source OST credential-harvesting tool
–nonet: do not encrypt network drives
–path: encrypt only specified folder(s)
–target: encrypt file(s) that have a specific extension
–append: select file extension to append to encrypted files
–norename: do not rename encrypted files
–greetings: prepend a name to the ransom note, likely used for directly addressing victims
–samba: establish file-, printer-, and serial port-sharing between compromised nodes
–killrdp: terminate RDP session
During breach response investigations, Arete has observed the following artifacts associated with the ransomware execution:
- rundll32.exe C:\%USERNAME%\Downloads\clang.dll,DllRegisterServer -pigbutt5 –multiproc
- rundll32.exe \\Domain_Controller\Intel\msvc.dll,DllRegisterServer -passegr17 –multiproc
- rundll32.exe C:\Windows\msvc.dll,DllRegisterServer -passegr13 –full
- rundll32.exe C:\Windows\dog.dll,DllRegisterServer -pclassified13 –full
- rundll32.exe \\Domain_Controller\intel\fasm.dll,DllRegisterServer -pbiden17 –multiproc
- C:\Windows\system32\cmd.exe /c eb2.bat -passegr13
- C:\Windows\system32\cmd.exe /c eb.bat -pclassified13
The last two artifacts show the threat actor using a batch file to pass the key phrase and properly execute the ransomware with the “–full” option.
The following tools have also been found to be associated with the threat actor activity:
- Advanced Port Scanner: A network scanner that enumerates networked hosts and open ports.
- ADFind: A tool that is used to enumerate Active Directory.
- Lazange: A password recovery tool to harvest credentials.
- PsExec: A lightweight tool that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
- Implement a sophisticated endpoint detection and response (EDR) solution that will rely on behavior analysis, instead of just malware signatures, and have tamper-proof capabilities.
- Implement multi-factor authentication (MFA).
- Implement an email security solution to detect and protect against known and unknown threats.
- Lock down and tighten privileges around Microsoft PowerShell in your environment. Apply and enforce PowerShell Constrained Language Mode (CLM) throughout your environments. Consider Just Enough Administration (JEA) policies to allow select PowerShell host administrative capabilities while disabling others.
- Hunt for unusual RDP connections.
- Prevent users from executing any program or any of the 31 currently known Windows executable filetypes (e.g., .exe, .dll, .hta, .bat, .scr) from the \AppData\Local\Temp\ path of Office365, Microsoft Word, Excel, and Outlook. Alternatively, also inspect C: C:\Users\[current user]\AppData\Roaming\Microsoft as it’s another popular method that achieves the same results.
- Develop and implement a user security education program to assist with identifying threats like those in phishing emails.
- Implement an off-site backup solution and test it regularly.
Summary of indicators from OSINT and Arete investigations
Key phrases to decrypt and execute the ransomware
Note: ‘dubisteinmutterficker’ is a German profanity: You’re a motherf*****
Bitcoin [BTC] wallet addresses
URLs hosting Egregor
Egregor SHA256 hashes