A new Ransomware-as a-Service (RaaS) named Egregor emerged in September 2020 and has already claimed high profile victims. After encrypting and exfiltrating their target’s data, Egregor also threatens to publicly release the data unless a ransom is paid within three days. Researchers at Malwarebytes believe Egregor has benefited from the “press release” detailing the shutting down of the Maze ransomware infrastructure by its operators. It appears that many of the customers (aka “affiliates”) of the Maze RaaS offering have moved over to Egregor.

What Is It?
Like many current ransomware variants, Egregor uses the dual threat of naming and shaming victims and releasing stolen data to increase pressure on a victim to pay. Researchers at Appgate discovered the “Egregor News” dark web site, containing a victim “hall of shame” and the site is also where the victim’s stolen data would leak from. The current victim count appears to be low. Named victims include logistics firm GEFCO and bookseller Barnes & Noble.

Egregor’s ransom note provides the three-day deadline to pay the ransom and states that failure to pay will result in the release of stolen data and publicity to ensure the victim’s “partners and clients” are made aware of the attack. The note also states that once the ransom is paid, the victim will get full decryption of their data, a complete listing of all files downloaded, confirmation the downloaded data has been deleted from Egregor’s servers, and most interestingly of all, offers recommendations for securing their network perimeter against further cyberattacks.

Egregor incorporates techniques that make sample analysis more difficult, such as obfuscated code blocks and custom-packed payloads. Execution requires a parameter being passed to the malware to decrypt the Egregor payload. This feature thwarts both human-based malware analysis and automated solutions (such as sandboxes.)

How Does It Propagate?
The malware does not contain the necessary code to self-propagate. Specifics relating to Egregor’s initial attack vectors aren’t currently known, however, the most common attack vector for most ransomware remains social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

Five publicly available samples of Egregor ransomware were tested and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected 57 months prior to their release.