SonicWall Warns of Egregor Ransomware Attacks

SonicWall Warns of Egregor Ransomware Attacks

437
31
SHARE

Egregor releases stolen data on the Egregor News website for Ransom. Cyber attackers are likely to be based in Asia.

SonicWall Capture Labs Threat Research team warns that Egregor Ransomware attacks will intensify. This ransomware steals system information, banking, online account credentials, deploys keyloggers, and remote backdoors on Windows client and server software.

The library (Dll) is highly obfuscated and encrypted using Salsa20, ChaCha, and Rabbit stream ciphers along with RSA public-key cryptography. Egregor releases stolen data on the Egregor News website to increase pressure on the victims to pay the ransom. Egregor News is both used publicly and on the Dark Web aka the Darknet. Egregor News is used to post the names and domains, along with data sets of the Egregor victims. The financial and tech sectors are at the top of the target list because they are the most profitable this year and will be well into the future.

Egregor targets systems within the Five-Eyes: Australia, Canada, New Zealand, United Kingdom, and the USA (North America). Other related targets are in South America, South Africa. Mostly countries and territories of the United States and their partners.

If we were to count the potential Infections, we would have to take the countries populations into account. Australia 24.99 Million, Canada 37.59 Million, New Zealand 4.886 Million, The United Kingdom 66.65 Million and The United States 328.2 Million. Total population among the Five-Eye countries: 462.3 Million not counting South America and Africa. Data suggests that only about 50% of the population is connected and online. So potentially Egregor could infect up to 230 million Windows clients and/or servers.

Kmart and Vancouver Metro were recently attacked and this type of ransomware is expected in the future. Egregor Ransomware is uniquely assembled. Employing obfuscation and anti-analysis techniques. In order to fully decrypt and deploy the payload, the password associated with the sample must be provided at runtime.

Egregor interlinks stream ciphers-(symmetric-key algorithms): ChaCha-(2008), Salsa20-(2005), and Rabbit-(2003) in such a way combined with RSA-(Rivest-Shamir-Adleman) public-key cryptography that if you don’t have the password to the libraries (.dll, aka payloads) a Reverse Engineer, Security Analyst, Security Researcher will never be able to reverse engineer the payload. The community is linking Egregor with Maze Ransomware, where Egregor’s base source code derives from.

Debasish Mukherjee, VP, Regional Sales – APAC at SonicWall, says, “Ransomware is one of the most prolific criminal business models in existence today, mostly thanks to the multimillion-dollar ransom criminals demand from individuals and corporations. Egregor is a RaaS (Ransomware as a Service) that’s why they have a news website on the public facing web and on the dark web. The financial and tech sectors will always be at the top of the target list because they are the most profitable. SonicWall Gateway Anti-Virus (GAV) provides protection against this threat.”

Attackers have to create a chain of events in order to leverage a library (Dll). This chain of events is called the infection chain.  Egregor, will spread through the following chain:

Stage 1: Phishing campaigns; emails often include an attachment or implant (executable file). Although it can be difficult to identify suspicious files at the first glance—as they are commonly hidden within clandestine tricks only known to hackers and malware authors.

Stage 2: The malware documents, attachments or implants from above carry nasty virii. Some of which are Qbot, Ursnif, and icedID. All three are trojans designed to steal data and they also spread other payloads; in the case of the Egregor campaign it spreads CobaltStrike. CobaltStrike is penetration software and one of the most powerful network attack kits available.

Stage 3: Command and Control Servers – attackers will send commands to systems compromised by malware and receive stolen data from a targeted system.

Stage 4: Cyber attackers will finally reach the library stage or other payloads. Usually in the form of .bat, .zip, .dll, .cfg, .obj, .bin, .exe. Most of this stage deals with injection into a piece of running software on the server or client.                            

All of the files will be encrypted but this really depends on the parameters used during installation. Egregor’s payload can accept several command line arguments, including:

 

-fast: Is used to limit file size for encryption.

-full: performs encryption of the full victim system (including local and network drives).

-multiproc: multi-process support.

-nomimikatz: Mimikatz is an open-source toolkit.

-nonet: does not encrypt network drives.

-path: specific folder to encrypt.

-target: target extension for encryption.

-append: file extension to append to encrypted files.

-norename: does not rename the files it encrypts.

-greetings: prepends the name to the ransom note.

-samba: provide shared access to files, printers, and serial ports between nodes.

-killrdp: remote desktop protocol

31 COMMENTS

  1. What i do not understood is in truth how you are not
    actually much more well-appreciated than you might be right now.

    You’re very intelligent. You already know therefore significantly in relation to this topic, made me for my part imagine it
    from a lot of numerous angles. Its like men and women don’t
    seem to be interested except it is one thing to accomplish with
    Woman gaga! Your individual stuffs outstanding. All the
    time handle it up!

  2. Aw, this was a very good post. Spending some time and actual effort to create a superb article… but
    what can I say… I procrastinate a lot and never manage
    to get anything done.

  3. Woah! I’m really loving the template/theme of this website.
    It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between usability and visual appeal.

    I must say that you’ve done a excellent job with this.
    Also, the blog loads extremely fast for me on Firefox.
    Superb Blog!

  4. My programmer is trying to persuade me to move
    to .net from PHP. I have always disliked the idea because of the costs.
    But he’s tryiong none the less. I’ve been using WordPress on a number of websites for about a year and am nervous about switching
    to another platform. I have heard fantastic things about blogengine.net.
    Is there a way I can import all my wordpress posts into it?
    Any help would be really appreciated!

  5. I’m not sure exactly why but this blog is loading very slow for me.
    Is anyone else having this problem or is it a problem
    on my end? I’ll check back later on and see if the problem still exists.

  6. Good day! I know this is somewhat off topic but I was wondering which blog
    platform are you using for this site? I’m getting
    fed up of WordPress because I’ve had problems with hackers and I’m looking at alternatives for another platform.
    I would be awesome if you could point me
    in the direction of a good platform.

  7. Asking questions are actually nice thing if you are not understanding anything fully, but this
    post gives fastidious understanding yet.

  8. Have you ever considered publishing an ebook or guest authoring on other
    websites? I have a blog centered on the same ideas you discuss and
    would love to have you share some stories/information. I know my readers would value your
    work. If you’re even remotely interested, feel free to send me an e-mail.

  9. Hey there! I realize this is kind of off-topic
    but I had to ask. Does running a well-established website like yours require a lot of work?
    I am completely new to running a blog but I do write in my
    journal everyday. I’d like to start a blog so I
    can share my personal experience and views online.
    Please let me know if you have any suggestions or tips for brand
    new aspiring blog owners. Thankyou!

  10. Greetings! Very useful advice in this particular post!
    It is the little changes that produce the most important changes.
    Thanks for sharing!

  11. A person necessarily help to make seriously posts
    I would state. That is the first time I frequented your web page and so far?
    I amazed with the research you made to make this actual post incredible.
    Magnificent process!

  12. I all the time used to study post in news papers but now as I
    am a user of web therefore from now I am using net
    for articles or reviews, thanks to web.

  13. Hi there! Someone in my Myspace group shared this site with us so I came to give it
    a look. I’m definitely loving the information. I’m bookmarking and
    will be tweeting this to my followers! Fantastic blog
    and fantastic style and design.

  14. After looking at a few of the blog posts on your web page, I honestly appreciate
    your technique of blogging. I book-marked it to my bookmark webpage list and will be checking back soon. Please visit my web
    site too and tell me your opinion.

  15. Thanks for your personal marvelous posting! I really enjoyed reading it, you can be
    a great author. I will make certain to bookmark your blog and will come
    back sometime soon. I want to encourage you to ultimately continue your great
    work, have a nice morning! 0mniartist asmr

  16. Hi there just wanted to give you a quick heads up.
    The text in your post seem to be running off the
    screen in Internet explorer. I’m not sure if this is a format issue or something
    to do with browser compatibility but I figured I’d post to
    let you know. The design and style look
    great though! Hope you get the issue fixed soon. Kudos

  17. Hey I am so delighted I found your webpage, I really
    found you by mistake, while I was looking on Askjeeve for something else, Anyhow I am here now and would just like to say kudos for a remarkable post and a all
    round enjoyable blog (I also love the theme/design), I don’t have time
    to read through it all at the minute but I have book-marked it
    and also added in your RSS feeds, so when I have time I will
    be back to read a great deal more, Please do keep up the excellent job.

  18. Magnificent items from you, man. I’ve be aware your stuff previous to and you
    are just too great. I really like what you have received here, really like what you are saying and the best way wherein you say it.
    You make it entertaining and you continue to care for to stay
    it wise. I can’t wait to read far more from you.
    That is actually a wonderful site.

  19. Hi, I do think this is a great site. I stumbledupon it 😉 I
    am going to come back yet again since i have saved as a favorite it.
    Money and freedom is the greatest way to change, may
    you be rich and continue to guide other people.

  20. Its such as you learn my thoughts! You seem to grasp
    a lot about this, such as you wrote the e-book in it or something.
    I believe that you simply can do with a few p.c. to power the
    message home a bit, however other than that, this is wonderful blog.
    A great read. I’ll definitely be back.

  21. whoah this weblog is fantastic i like studying your posts.
    Keep up the good work! You recognize, many individuals are looking round for this info, you can help them greatly.

  22. It is perfect time to make a few plans for the
    future and it’s time to be happy. I have read this put up and if I
    may I desire to recommend you some interesting things or tips.
    Perhaps you could write next articles referring to
    this article. I want to read more things approximately it!

LEAVE A REPLY