Security News > 2021 > January > FBI Warns of Egregor Attacks on Businesses Worldwide

The FBI has alerted companies in the private sector to a spate of attacks using the Egregor ransomware.

Egregor - the name of which refers to an occult term meant to signify the collective energy or force of a group of individuals-is indeed the work of a "Large number of actors" and is operating as a ransomware-as-a-service model, according to the FBI. "Because of the large number of actors involved in deploying Egregor, the tactics, techniques and procedures used in its deployment can vary widely, creating significant challenges for defense and mitigation," the FBI said.

Egregor ransomware affiliates have been observed using common pen-testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner and AdFind to escalate privileges and make lateral moves across a network, as well as tools like Rclone - sometimes renamed or hidden as "Svchost" - and 7zip to exfiltrate data, according to the FBI. Corroborating what security researchers already have observed, the FBI said it first identified Egregor in September and said that since then, the threat actors behind the malware have worked quickly.

In addition to engaging in typical ransomware behaviors, such as exfiltrating and encrypting files on the network as well as leaving a ransom note on machines to instruct victims how to communicate with threat actors via an online chat, Egregor also has a unique feature, the FBI noted.

If victims refuse to pay, Egregor publishes victim data to a "Public site," the FBI noted.

"However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees and customers," the agency said, encouraging organizations to report ransomware incidents to their local FBI field offices whether they decide to pay the ransom or not.

News URL

https://threatpost.com/fbi-egregor-attacks-businesses-worldwide/162885/