skip to Main Content

Cybercrime, FBI warns companies on Egregor double extortion attacks

The FBI released a Private Industry Notification (PIN) to warn the companies about Egregor ransomware attacks

The FBI released a Private Industry Notification (PIN) to warn the companies about Egregor ransomware attacks. According the cybersecurity experts, “Egregor ransomware is operating as a Ransomware-as-a-Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.”

The cybercrime TTPs to compromise the targets with the malware

The malware “utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.” This could be “phishing emails with malicious attachments to gain access to network accounts” or “Remote Desktop Protocol (RDP) or Virtual Private Networks”. Cybercrime actors “may also leverage Egregor’s RDP exploitation capability to laterally move inside networks.” According the FBI cybersecurity experts, “once Egregor gains access to the network, ransomware affiliates use common pen testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and move laterally across a network, and tools like Rclone (sometimes renamed or hidden as svchost) and 7zip to exfiltrate data.”

The threat actors exploit the double extortion scheme to increase pressing on the victims. However, their data leak site at the moment is unreachable

The cybercrime actors behind Egregor started their operations in September 2020 and compromised over 150 targets worldwide. They exploit also the double extortion strategy to increase pressure on the victims, threatening to release the stolen information with the ransomware attack on their data leak website if the target doesn’t pay. The website, however, since some days is unreachable (504 Gateway Time-Out).

Back To Top