SonicWall Warns of Egregor Ransomware Attacks

SonicWall Capture Labs Threat Research team warns that Egregor Ransomware attacks will intensify. This ransomware steals system information, banking, online account credentials, deploys keyloggers, and remote backdoors on Windows client and server software.

The library (Dll) is highly obfuscated and encrypted using Salsa20, ChaCha, and Rabbit stream ciphers along with RSA public-key cryptography. Egregor releases stolen data on the Egregor News website to increase pressure on the victims to pay the ransom.

Egregor News is both used publicly and on the Dark Web aka the Darknet. Egregor News is used to post the names and domains, along with data sets of the Egregor victims. The financial and tech sectors are at the top of the target list because they are the most profitable this year and will be well into the future.

Egregor targets systems within the Five-Eyes: Australia, Canada, New Zealand, United Kingdom, and the USA (North America). Other related targets are in South America, South Africa. Mostly countries and territories of the United States and their partners.

If we were to count the potential Infections, we would have to take the countries populations into account. Australia 24.99 Million, Canada 37.59 Million, New Zealand 4.886 Million, The United Kingdom 66.65 Million and The United States 328.2 Million. Total population among the Five-Eye countries: 462.3 Million not counting South America and Africa. Data suggests that only about 50% of the population is connected and online. So potentially Egregor could infect up to 230 million Windows clients and/or servers.

Kmart and Vancouver Metro were recently attacked and this type of ransomware is expected in the future. Egregor Ransomware is uniquely assembled. Employing obfuscation and anti-analysis techniques. In order to fully decrypt and deploy the payload, the password associated with the sample must be provided at runtime.

Egregor interlinks stream ciphers-(symmetric-key algorithms): ChaCha-(2008), Salsa20-(2005), and Rabbit-(2003) in such a way combined with RSA-(Rivest-Shamir-Adleman) public-key cryptography that if you don’t have the password to the libraries (.dll, aka payloads) a Reverse Engineer, Security Analyst, Security Researcher will never be able to reverse engineer the payload. The community is linking Egregor with Maze Ransomware, where Egregor’s base source code derives from.

Debasish Mukherjee, VP, Regional Sales – APAC at SonicWall, says, “Ransomware is one of the most prolific criminal business models in existence today, mostly thanks to the multimillion-dollar ransom criminals demand from individuals and corporations. Egregor is a RaaS (Ransomware as a Service) that’s why they have a news website on the public facing web and on the dark web. The financial and tech sectors will always be at the top of the target list because they are the most profitable. SonicWall Gateway Anti-Virus (GAV) provides protection against this threat.”

Attackers have to create a chain of events in order to leverage a library (Dll). This chain of events is called the infection chain. Egregor, will spread through the following chain:

Stage 1: Phishing campaigns; emails often include an attachment or implant (executable file). Although it can be difficult to identify suspicious files at the first glance—as they are commonly hidden within clandestine tricks only known to hackers and malware authors.

Stage 2: The malware documents, attachments or implants from above carry nasty virii. Some of which are Qbot, Ursnif, and icedID. All three are trojans designed to steal data and they also spread other payloads; in the case of the Egregor campaign it spreads CobaltStrike. CobaltStrike is penetration software and one of the most powerful network attack kits available.

Stage 3: Command and Control Servers – attackers will send commands to systems compromised by malware and receive stolen data from a targeted system.

Stage 4: Cyber attackers will finally reach the library stage or other payloads. Usually in the form of .bat, .zip, .dll, .cfg, .obj, .bin, .exe. Most of this stage deals with injection into a piece of running software on the server or client.

All of the files will be encrypted but this really depends on the parameters used during installation. Egregor’s payload can accept several command line arguments, including:

-fast: Is used to limit file size for encryption.
-full: performs encryption of the full victim system (including local and network drives).
-multiproc: multi-process support.
-nomimikatz: Mimikatz is an open-source toolkit.
-nonet: does not encrypt network drives.
-path: specific folder to encrypt.
-target: target extension for encryption.
-append: file extension to append to encrypted files.
-norename: does not rename the files it encrypts.
-greetings: prepends the name to the ransom note.
-samba: provide shared access to files, printers, and serial ports between nodes.
-killrdp: remote desktop protocol

Further Debasish mentioned that, “Organizations with traditional cybersecurity solutions have realized that shifting to a Boundless Cybersecurity model is the future of securing businesses from vulnerability. Cyber-attacks are constantly evolving and require much more sophisticated capability like use of deep tech such as AI and ML to recognize attacks rather than defending a known vector.”

ChannelDrive Bureau
ChannelDrive Bureau covers the latest developments in the space of ICT, technology, solutions and implementations and delivers content focused around solution providers, system integrators, distributors and technology partner community in India. ChannelDrive Bureau is headed by Zia Askari. He can be reached at

Recent Articles

Automation Anywhere Unveils Gen AI-Powered Automation Platform

Automation Anywhere, the enabler in intelligent automation, has announced a historic expansion of its Automation Success Platform, enabling enterprises to accelerate their transformation journeys...

Red Hat and Oracle Expand Collaboration

Red Hat, Inc., the world’s leading provider of open source solutions, and Oracle have announced the expansion of their alliance to offer customers a...

HCLTech Unveils Shared DCaaS Offering

HCLTech, a global technology company, has launched its Shared Data Center as a Service (Shared DCaaS), an advanced service offering, which aims to help...

Pure Storage Names Nathan Hall as Vice President of APJ

Pure Storage, the IT pioneer that delivers the world's most advanced data storage technology and services, has appointed Nathan Hall as Vice President of...

Oracle, Uber Announce Collect and Receive Offering

Oracle and Uber has announced Collect and Receive, a new offering on the Oracle Retail platform connecting retailers and consumers to enhance and enrich...

Related Stories

Stay on op - Get the daily news in your inbox