Egregor Ransomware
The Egregor Ransomware is a file-locking Trojan that attacks business's servers and blocks their data, along with leaking it to a publicly-viewable website. Beyond boasting exceptionally sophisticated obfuscation, this threat operates similarly to other Trojans of its class, and users can mitigate its attacks by the usual means (IE, backups). Dedicated anti-malware solutions should remove the Egregor Ransomware, and standardized security-hardening guidelines can limit the possibility of infection.
Practical Data Problems with Mystical Names
What's showing its hand as a much-improved update of the Sekhmet Ransomware is experiencing a revolution in data-plundering, with its attacks both collecting data and holding it for ransom. The Egregor Ransomware, whose name refers to an occult term for collectivist energy, finds victims in nations as different as the United States, Japan and France. While its payload's financial nature is reasonably self-explanatory, its programmers also protect it with a fresh batch of anti-security and analysis characteristics.
Both the Egregor Ransomware's code and ransom note borrow much of their contents from the old Sekhmet Ransomware. Overall, the organization of its attacks shows many similarities to Trojan families likeĀ AES-Matrix Ransomware. It encrypts the server's media files and holds them for ransom while delivering ransom notes to victims, redirecting them towards a 'live chat' service with the attackers. The ransom amount for unlocking the files remains obtuse and is, probably, flexible, according to the files' value.
The Egregor Ransomware also brings some more unique issues to the fore, including:
- The Egregor Ransomware includes command-line options, and malware experts confirm some involving manipulating Remote Desktop features or Mimikatz (a notorious, third-party password collector).
- Some versions of the Egregor Ransomware include startup requirements that prevent the payload's decryption in their absence, hindering analysis.
- The Egregor Ransomware also uses various, more-standard means of code obfuscation and compression that make identifying its features, such as the file encryption attack, more difficult.
Although its distribution exploits aren't known to malware analysts, the Trojan is collecting victims on a global scale. Its targeting methods avoid home users in preference for inadequately-protected business entities that could, theoretically, pay the highest ransoms.
The Increasingly-Popular Vice of Leakiness in Trojan Campaigns
Sharing secrets to the public may be frowned upon generally, but is part of file-locker Trojans' habits for maximizing ransoms increasingly. The Egregor Ransomware, like the Ranzy Locker Ransomware, the AES-Matrix Ransomware, or the Mount Locker Ransomware, uses the threat of leaking the server's data to the public as part of its ransoming incentive. The Trojan's threat actors are maintaining a website on the Dark Web with reports concerning their victims. Additionally, they claim that they will contact mass media, where appropriate, for sharing any intelligence.
The exploits used for the Egregor Ransomware's campaigns aren't known, but malware researchers highly suspect the use of custom-crafted e-mail or brute-force hacking of weak passwords. Admins should maintain software updates to remove any publicly-known vulnerabilities and check RDP features for sufficient security. All employees should avoid enabling macros inside unusual documents, which strongly risks provoking a drive-by-download or related exploit.
Backups on other devices may not prevent the publishing of misappropriated data but can remove the risk of this Trojan's blocking files permanently. Otherwise, removing the Egregor Ransomware through compatible security solutions ASAP is any user's best defense.
The Egregor Ransomware is a decided step up for the Sekhmet Ransomware, adding in little-seen tricks of the trade that make its code all the more elusive. One thing about this new Trojan's business is sure: if it makes any money off of its attacks, there will be far more to come.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.