by Bhabesh Raj Rai, Associate Security Analytics Engineer
Egregor, a variant of the Sekhmet ransomware family, remains one of the most active and aggressive ransomware strains in the past year and widely believed to be the successor of the Maze ransomware. Group-IB, Insikt and Palo Alto Networks have independently reached the conclusion that Egregor is associated with commodity malware such as Qakbot, IcedID and Ursnif to gain initial access to victims’ systems.
Egregor made its debut in mid-September 2020, at the same time Maze ransomware publicly announced its retirement. During this short time, Egregor has managed to compromise a large number of victims across the globe. Victims include high-profile companies like Kmart, Ubisoft, Crytek and Randstad. The spike in Egregor’s activity signals that Maze affiliates quickly switched to Egregor without any hitch.
Egregor attacks characterized by effective double-extortion methods
Egregor follows the same ransomware-as-a-service (RaaS) model as other popular ransomware strains, including Ryuk and Maze. With RaaS, cybercriminals subscribe to use Egregor, which enables even novice hackers to launch complex ransomware attacks. Another reason Egregor is spreading rapidly is due to the highly effective double extortion tactic, where the cybercriminals breach sensitive data, encrypt it to prevent access by the victims and then publish a portion of the compromised data as proof of the exfiltration. Double extortion applies maximum pressure on the victims to pay the ransom and it works. Arete IR notes that Egregor’s average ransom demand is $3,407,119, with an average business downtime of 12 days.
Egregor affiliates are well-known for their negotiation style. The malicious actors give their victims an ultimatum: they will leak the data within 72 hours if they do not receive a response following the encryption of the victims’ systems. Like Maze and Ryuk, Egregor takes part in big-game hunting and targets large companies because of their ability to pay a high ransom, which results in substantial profits.
A typical Egregor attack involves a malicious macro-laced Microsoft Office document attached in a phishing email as the initial infection vector. Upon opening the document, the malicious macro may download commodity malware such as Qakbot or IcedID. The downloaded malware will then begin reconnaissance of the host and network and collect credentials to use for lateral movement. The malware may use either PsExec or WMI for lateral movement. In some select cases, Egregor actors have also deployed cobalt strike. Near the end of the infection cycle, the malware will usually download a batch and a zip file. The zip file contains the RClone tool with its configuration files for exfiltrating data to cloud file-hosting sites such as DropBox or OneDrive. The batch contains a command to download and execute the Egregor DLL via rundll32.
In February 2021, a joint investigation between the French and Ukrainian police led to the arrest of some of the Egregor RaaS clients. However, authorities believed that none of those arrested criminals belong to the Egregor operations team. W can assume that the arrest does not mean a permanent shutdown of the Egregor ransomware family.
Egregor fast facts
• Active since mid-September 2020
• Relies on RaaS model to spread rapidly
• Aggressive double-extortion tactic results in huge profits
• Relies on phishing for initial infection
• Average ransom is more than $3 million with business downtime of 12 days
Detecting Egregor ransomware using LogPoint
Using the MITRE ATT&CK framework and LogPoint, blue teams can detect Egregor throughout the stages of an attack. Threat hunters can use the queries below to hunt Egregor’s different tactics, techniques and procedures (TTPs).
We can look for the initial access vector by looking at the spawning of command prompt (T1059.003) or PowerShell (T1059.001) from Microsoft Office products.
norm_id=WinServer label="Process" label=Create
parent_process IN ["*\winword.exe", "*\excel.exe", "*\powerpnt.exe"]"process" IN ["*\cmd.exe", "*\powershell.exe"]
Egregor actors drop batch files usually in the temp directory. We advise system administrators to filter out any false positives before running an enterprise-wide search
norm_id=WindowsSysmon label=File label=Create
file="*.bat"
path IN ["*\Desktop\*", "C:\Users\Public*", "*\AppData\Local\Temp*", "C:\ProgramData*", "C:\PerfLogs*"]
Egregor uses Bitsadmin (T1197) to download the payload, which is trivial to detect.
norm_id=WinServer label="Process" label=Create
"process"="*\bitsadmin.exe" command="* /transfer */download *.dll*"
Usually, Egregor actors name their payload with a single-digit name such as q.dll or b.dll. We can exploit this behavior to search for any dropping of DLLs that have a single character filename via Sysmon’s file creation events.
norm_id=WindowsSysmon label=File label=Create
file="*.dll"
| process count_char(file) as filename_length
| search filename_length = 5
Like other ransomware operators, Egregor operators also use ADFind to collect Active Directory information.
norm_id=WinServer label="Process" label=Create
"process"="*.exe" command IN ['* -f *objectcategory=*', '* -sc trustdmp*']
Egregor actors have been found to use the popular open-source LaZagne tool to dump credentials (T1003.001) for facilitating lateral movement, which we can detect via Sysmon’s Process Access event logs.
norm_id=WindowsSysmon label=Process label=Access
call_trace="*C:\Windows\SYSTEM32\ntdll.dll+*|C:\Windows\System32\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*"
Egregor actors execute the main payload via rundll32 (T1218.011) with common arguments being passegregor and multiproc.
norm_id=WinServer label="Process" label=Create
"process"="*\rundll32.exe"
command IN ["*DllRegisterServer* --passegregor*", "*DllRegisterServer* -multiproc*"]
Sometimes, Egregor actors use passwords like pclassified13 to decrypt the ransomware payload, which we can look out for in process-creation logs.
norm_id=WinServer label="Process" label=Create
command IN ["* -pclassified13 *", "* -passegr*", "* -pbiden*", "* -pass2police*", "* -peguard6*"]
Sometimes, the actors also use PsExec (T1570) to laterally move across the network, which can be detected via Windows event logs.
norm_id=WinServer event_id=4697 service=PSEXESVC
| chart count() by host, user, service, file
If the actors have changed the default service name created by PsExec for stealth, then we can use pipe events of Sysmon instead.
norm_id=WindowsSysmon event_id IN [17, 18]pipe IN ["*-stdin", "*-stderr", "*-stdout"]| norm on pipe --<:word>-<:'stdin|stdout|stderr'>
| chart count() by source_host
Check out our blog for more information on hunting PsExec artifacts in your environment. Actors have also used WMI (T1047) to remotely execute the DLL payload, which is trivial to detect.
norm_id=WinServer label="Process" label=Create
"process"="*\wmic.exe" command="*/node*process call create*"
Since Egregor actors may also use RDP (T1021.001) for lateral movement, we need to monitor for internal RDP connections.
norm_id=WinServer event_source="Microsoft-Windows-TerminalServices-LocalSessionManager"
event_id=21 source_address IN HOMENET
| chart count() by host, user, source_address
Finally, we can look out for any RDP connections to critical hosts like DC or file servers, which the attackers typically do during their attack lifecycle.
norm_id=WinServer event_source="Microsoft-Windows-TerminalServices-LocalSessionManager"
event_id=21 host IN CRITICAL_HOSTS
| chart count() by host, user, source_address
Egregor actors have also disguised the RClone utility as the legitimate svchost process (T1036.005).
norm_id=WinServer label="Process" label=Create
"process"="*\svchost.exe"
(-parent_image="*\services.exe" -command="* -k *") -parent_image="*\MsMpEng.exe"
We can detect the execution of renamed Rclone binary via Sysmon’s process creation events.
norm_id=WindowsSysmon label="Process" label=Create
description="Rsync for cloud storage"
Egregor actors have also been found to use the popular Advanced Port Scanner tool for port scanning (T1046) remote hosts in the subnet.
norm_id=WinServer label="Process" label=Create
("process"="*\AppData\Local\Temp\*\advanced_ip_scanner.exe" OR description="Advanced IP Scanner")
In a few cases, attackers have deployed cobalt strike to help perform tactics including reconnaissance and credential dumping. One easy way to detect cobalt strike is by hunting for its default pipe names, which are difficult to change so most attackers do not even make an effort to change it.
norm_id=WindowsSysmon event_id IN [17, 18]pipe IN ["\msagent_*", "\MSSE-*-server", "\postex_*"]
Decrease your chances of compromise with phishing awareness training
It is still unknown how much the recent arrests related to Egregor have hampered the overall activity of the ransomware. Nevertheless, enterprise defenders should always be ready to detect and deter any future compromise. As phishing remains the favorite infection vector for ransomware, we advise companies to have a comprehensive phishing awareness training program for their employees in place.
Additionally, it’s common for ransomware groups to strike a partnership with other cybercriminal groups, commonly called “initial access brokers.” These Initial access broker groups provide the ransomware operators with direct access to a range of compromised systems. Direct access enables ransomware groups to easily gain access to an organization’s internal networks, from where they start to escalate privileges, move laterally and finally deploy the ransomware.
We advise blue teams to regularly test and tune their detections for different ransomware families. Since Egregor’s TTPs overlap with those of other ransomware families, it will help system administrators to tune and test those detections in their arsenal.
