SonicWall Warns of Egregor Ransomware Attacks

SonicWall Logo

SonicWall Capture Labs Threat Research team warns that Egregor Ransomware attacks will intensify. This ransomware steals system information, banking, online account credentials, deploys keyloggers, and remote backdoors on Windows client and server software.

The library (Dll) is highly obfuscated and encrypted using Salsa20, ChaCha, and Rabbit stream ciphers along with RSA public-key cryptography. Egregor releases stolen data on the Egregor News website to increase pressure on the victims to pay the ransom.

Egregor News is both used publicly and on the Dark Web aka the Darknet. Egregor News is used to post the names and domains, along with data sets of the Egregor victims. The financial and tech sectors are at the top of the target list because they are the most profitable this year and will be well into the future.

Egregor targets systems within the Five-Eyes: Australia, Canada, New Zealand, United Kingdom, and the USA (North America). Other related targets are in South America, South Africa. Mostly countries and territories of the United States and their partners.

If we were to count the potential Infections, we would have to take the countries populations into account. Australia 24.99 Million, Canada 37.59 Million, New Zealand 4.886 Million, The United Kingdom 66.65 Million and The United States 328.2 Million. Total population among the Five-Eye countries: 462.3 Million not counting South America and Africa. Data suggests that only about 50% of the population is connected and online. So potentially Egregor could infect up to 230 million Windows clients and/or servers.

Kmart and Vancouver Metro were recently attacked and this type of ransomware is expected in the future. Egregor Ransomware is uniquely assembled. Employing obfuscation and anti-analysis techniques. In order to fully decrypt and deploy the payload, the password associated with the sample must be provided at runtime.

Egregor interlinks stream ciphers-(symmetric-key algorithms): ChaCha-(2008), Salsa20-(2005), and Rabbit-(2003) in such a way combined with RSA-(Rivest-Shamir-Adleman) public-key cryptography that if you don’t have the password to the libraries (.dll, aka payloads) a Reverse Engineer, Security Analyst, Security Researcher will never be able to reverse engineer the payload. The community is linking Egregor with Maze Ransomware, where Egregor’s base source code derives from.

Debasish Mukherjee, VP, Regional Sales – APAC at SonicWall, says, “Ransomware is one of the most prolific criminal business models in existence today, mostly thanks to the multimillion-dollar ransom criminals demand from individuals and corporations. Egregor is a RaaS (Ransomware as a Service) that’s why they have a news website on the public facing web and on the dark web. The financial and tech sectors will always be at the top of the target list because they are the most profitable. SonicWall Gateway Anti-Virus (GAV) provides protection against this threat.”

Attackers have to create a chain of events in order to leverage a library (Dll). This chain of events is called the infection chain. Egregor, will spread through the following chain:

Stage 1: Phishing campaigns; emails often include an attachment or implant (executable file). Although it can be difficult to identify suspicious files at the first glance—as they are commonly hidden within clandestine tricks only known to hackers and malware authors.

Stage 2: The malware documents, attachments or implants from above carry nasty virii. Some of which are Qbot, Ursnif, and icedID. All three are trojans designed to steal data and they also spread other payloads; in the case of the Egregor campaign it spreads CobaltStrike. CobaltStrike is penetration software and one of the most powerful network attack kits available.

Stage 3: Command and Control Servers – attackers will send commands to systems compromised by malware and receive stolen data from a targeted system.

Stage 4: Cyber attackers will finally reach the library stage or other payloads. Usually in the form of .bat, .zip, .dll, .cfg, .obj, .bin, .exe. Most of this stage deals with injection into a piece of running software on the server or client.

All of the files will be encrypted but this really depends on the parameters used during installation. Egregor’s payload can accept several command line arguments, including:

-fast: Is used to limit file size for encryption.
-full: performs encryption of the full victim system (including local and network drives).
-multiproc: multi-process support.
-nomimikatz: Mimikatz is an open-source toolkit.
-nonet: does not encrypt network drives.
-path: specific folder to encrypt.
-target: target extension for encryption.
-append: file extension to append to encrypted files.
-norename: does not rename the files it encrypts.
-greetings: prepends the name to the ransom note.
-samba: provide shared access to files, printers, and serial ports between nodes.
-killrdp: remote desktop protocol

Further Debasish mentioned that, “Organizations with traditional cybersecurity solutions have realized that shifting to a Boundless Cybersecurity model is the future of securing businesses from vulnerability. Cyber-attacks are constantly evolving and require much more sophisticated capability like use of deep tech such as AI and ML to recognize attacks rather than defending a known vector.”