FBI Warns of Egregor Attacks on Businesses Worldwide

The Federal Bureau of Investigation (FBI) has issued a Private Industry Alert about Egregor ransomware attacks’ growing threat. The bad actor has already claimed 150 victims worldwide since the group emerged in September.

Egregor operates as a ransomware-as-service model and was first identified in September 2020. It allows multiple threat actors to collaborate through a single intrusion and ransomware event. Several security researchers have suggested that the Maze ransomware threat actor is running the Egregor ransomware operation. It’s because of the arrival of Egregor as the Maze operation shut down and the similitudes on their modus operandi.

The threat actors behind the operation recruit members to distribute their ransomware and give them a cut of the ransom payment. The members have been highly active over the past three months. They have conducted attacks on many large enterprises such as Barnes & Noble, Ubisoft, Kmart, Crytek, and the Canadian transportation agency TransLink.

The initial contact is made using phishing attacks targeting corporate email accounts using attachments with malicious code that downloads the ransomware payload. Once the network is compromised, Egregor extracts data and encrypt files. In the end, the ransomware leaves a note with instructions on paying the ransom and communicating with the threat actors.

The FBI reminds organizations that paying the ransom is not ideal or recommended. Paying the ransom helps to fund future attacks and encourages the threat actors to continue. Victims should instead contact the FBI, which can assist in the prevention of further attacks.

The following are recommendation to prevent and mitigate cyberattacks:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Use two-factor authentication and strong passwords.
  • Do not click on unsolicited attachments or links in emails.
  • Prioritize patching of public-facing remote access products and applications
  • Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools.