Businesses worldwide are being impacted by Egregor malware. The first ransomware as a service form of malware doesn’t discriminate against any industry.
We often talk about how hackers tactics continually change and how bad actors don’t care how big your business is. What these threat actors care about is the information they can get their hands on, whether it’s used as a stepping stone toward a bigger goal or simply to sell on the dark web, information is their form of currency. In September, the FBI first noted a new ransomware called Egregor, which appears to be the first ransomware as a service form of malware.
Egregor, an occult term that signifies the collective energy or force of a group of individuals, has already been wreaking havoc on businesses worldwide. Barnes & Noble, Kmart, Ubisoft and Vancouver’s metro system Translink are all known victims. The variety of industries spanned here clearly indicates that the threat actors involved are not discriminating on where attacks take place. Not only that, but it is operating as a ransomware as a service model, per the FBI.
“Because of the large number of actors involved in deploying Egregor, the tactics, techniques and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation,” the FBI said.
They also noted the ways that Egregor infiltrates networks, including how it targets employee personal accounts, phishing emails with malicious attachments or exploits for RDP or VPNs. Once they have access, they can move laterally inside networks, meaning that if they get into an employee’s personal accounts and that account is accessed on a business network, then they can gain access to that network. Once on the business network, they are free to cause damage or lock systems to demand ransom.
The document released by the FBI gives a summary, describes what Egregor looks like to victims, mitigation procedures and reporting information. Besides its ransomware exploits, Egregor can also exfiltrate and encrypt files on the network, as well as leave a ransom note on locked machines to leave a set of instructions for the victim to follow. The instructions often include a way to communicate with the attacker(s) via an online chat. If the victim does not pay the ransom, the malware publishes the victim’s data to a public site. It has also been known for Egregor actors to use the print function on infiltrated machines to continuously print ransom notes.
The FBI, or any other law enforcement agency, will tell you not to pay the ransom. Report it and let the authorities help you because paying the ransom only makes the threat actors emboldened to keep doing what they are doing. However, we have discussed in the past how sometimes the best route for a business is to pay up and pray the actors behind the malware return stolen information and unlock victimized machines. For businesses, it’s a cost ratio. If it’s going to cost more to report the incident by contacting the FBI than it will to pay the ransom, the business decision tells you to pay the ransom. The threat actors behind Egregor malware know this and will take full advantage.
Regardless of whether your business pays a ransom or not, it is becoming increasingly clear that businesses need to change how they approach security. Not only in how InfoSec teams do their jobs and what budgets look like, not just in having business leaders listen to what security teams are saying and to take action now rather than later, but also in how training is approached. So much of ransomware is deployed via phishing schemes, well-designed socially-engineered phishing schemes. You must train your employees on what to look for, to not click links in emails, to not open attachments that aren’t an expected part of the business day.
Cybersecurity, information security, the security of every business worldwide is dependent on its employees knowing when to raise a flag. But employees cannot raise that flag if they don’t know they need to. Employees, specifically non-technical, customer-facing employees must go through cybersecurity awareness and training on a regular basis. And remember, if you aren’t sure where to start or what to teach or what any training should include, ask an expert! Not only can they be a resource to train your employees, but they can be that person who helps ensure your security is as tight as your internal team thinks it is.