Security Alerts Egregor Ransomware Samples Shared on Twitter

Thursday, Oct 22, 2020

Samples of Egregor Ransomware were shared on social media by security researchers yesterday. Egregor Ransomware is allegedly behind the attacks that targeted Crytek and Ubisoft. The threat actors behind the ransomware also run the extortion site Egregor News which is used to publish stolen information from infected systems who refuse to pay the ransom. The ransomware is spread as DLL files and when loaded will launch the command prompt and then Internet Explorer.

To prevent detection, the Egregor samples obfuscate malicious code by unpacking themselves into the memory to bypass detection from security tools. The Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or by using a sandbox. At the time of writing, it is unclear how much the ransomware operators are demanding to restore the victims’ files or what the overall impact of the event is.

Nuspire Recommends system administrators:
– Use multi-factor authentication on accounts
– Limit access rights using the principle of least privilege
– Patch systems and routers firmware
– Make regular backups to minimize the impact of ransomware attacks

Nuspire has used the following IOCs from the samples to threat hunt against all managed endpoints:

16a9c2917577e732cd6630b08e248443
4c36c3533a283e1aa199f80e20d264b9

You may unsubscribe by adjusting your profile settings within Trax.