SonicWall Capture Labs Threat Research team warns that Egregor Ransomware attacks will intensify. This ransomware steals system information, banking, online account credentials, deploys keyloggers, and remote backdoors on Windows client and server software.
The library (Dll) is highly obfuscated and encrypted using Salsa20, ChaCha, and Rabbit stream ciphers along with RSA public-key cryptography. Egregor releases stolen data on the Egregor News website to increase pressure on the victims to pay the ransom. Egregor News is both used publicly and on the Dark Web aka the Darknet. Egregor News is used to post the names and domains, along with data sets of the Egregor victims. The financial and tech sectors are at the top of the target list because they are the most profitable this year and will be well into the future.
Egregor targets systems within the Five-Eyes: Australia, Canada, New Zealand, United Kingdom, and the USA (North America). Other related targets are in South America, South Africa. Mostly countries and territories of the United States and their partners.
If we were to count the potential Infections, we would have to take the countries populations into account. Australia 24.99 Million, Canada 37.59 Million, New Zealand 4.886 Million, The United Kingdom 66.65 Million and The United States 328.2 Million. Total population among the Five-Eye countries: 462.3 Million not counting South America and Africa. Data suggests that only about 50% of the population is connected and online. So potentially Egregor could infect up to 230 million Windows clients and/or servers.
Kmart and Vancouver Metro were recently attacked and this type of ransomware is expected in the future. Egregor Ransomware is uniquely assembled. Employing obfuscation and anti-analysis techniques. In order to fully decrypt and deploy the payload, the password associated with the sample must be provided at runtime.
Egregor interlinks stream ciphers-(symmetric-key algorithms): ChaCha-(2008), Salsa20-(2005), and Rabbit-(2003) in such a way combined with RSA-(Rivest-Shamir-Adleman) public-key cryptography that if you don’t have the password to the libraries (.dll, aka payloads) a Reverse Engineer, Security Analyst, Security Researcher will never be able to reverse engineer the payload. The community is linking Egregor with Maze Ransomware, where Egregor’s base source code derives from.
Debasish Mukherjee, VP, Regional Sales – APAC at SonicWall, says, “Ransomware is one of the most prolific criminal business models in existence today, mostly thanks to the multimillion-dollar ransom criminals demand from individuals and corporations. Egregor is a RaaS (Ransomware as a Service) that’s why they have a news website on the public facing web and on the dark web. The financial and tech sectors will always be at the top of the target list because they are the most profitable. SonicWall Gateway Anti-Virus (GAV) provides protection against this threat.”