Newly emerged Egregor group employs "double ransom" techniques to threaten reputational damage and increase pressure to pay. Credit: The Lightwriter / Getty Images What is Egregor?Egregor is one of the most rapidly growing ransomware families. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal,” according to Recorded Future’s Insikt Group. Although descriptions of the malware vary from security firm to security firm, the consensus is that Egregor is a variant of the Sekhmet ransomware family.It arose in September 2020, at the same time the Maze ransomware gang announced its intention to shut down operations. Affiliates who were part of the Maze group appear, however, to have moved on to Egregor without skipping a beat.Insikt and Palo Alto Networks’ Unit 42 think Egregor is associated with commodity malware such as Qakbot, which became prominent in 2007 and uses a sophisticated, evasive worm to steal financial credentials, as well as other off-the-shelf malware such as IcedID and Ursnif. These pieces of malware help attackers gain initial access to victims’ systems.All security researchers seem to agree with Cybereason’s Nocturnus Team that Egregor is a rapidly emerging, high-severity threat. According to security firm Digital Shadows, Egregor has claimed at least 71 victims across 19 different industries worldwide. Update: On February 9, a joint operation by US, Ukrainian, and French authorities resulted in the arrest of gang members behind Egregor as well as associates who were part of their affiliate program. The leader of the Egregor group was reportedly among those arrested. The group’s website was also taken offline. It is too early to know whether this action has taken Egregor down permanently.Egregor’s double extortion undercuts traditional defensesLike most current ransomware variants used in the wild, Egregor uses “double extortion,” relying on a “Hall of Shame” or publicly accessible stolen data on leak pages to pressure victims into paying the ransom. Among the high-profile Egregor victims are Kmart, the Vancouver metro system, Barnes and Noble, video game developers Ubisoft and Crytek, and the Dutch human resources firm Randstad, from which the attackers stole data, a portion of which they published to the web. Like many internet criminals, Egregor attackers have considered healthcare facilities and hospitals to be fair game during the coronavirus crisis. One health care provider that had to reduce some functions due to an Egregor ransomware attack is GBMC Healthcare in Maryland, which got hit in early December, 2020. The company said it had robust protections in place but nonetheless was forced to postpone some elective procedures.The double extortion, or double ransom, characterizes this new breed of ransomware, undercutting the previous defense that most companies could deploy, which is to keep robust backups if attackers encrypted files. Egregor “just emerged really a couple of months ago and especially in September where it really started hitting all over the world, basically around the same time just when Maze ransomware operators” supposedly shut down, Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, tells CSO.“If you have good offline backups and you know they work, if you’re hit by ransomware, it’s not that big of an issue,” she says. “You take a hit for business purposes and downtime potentially, but if you have good backups, you’ve already kind of built that into your recovery plan.”Now groups like Egregor have “gotten wise to that idea. So, they’re saying, ‘Well, we’ve already stolen your data, so you have to pay us for that. Or we’re just going to release it publicly and potentially ruin your business, or at least damage your business’s reputation.’ That takes away the good backup story that has worked for so long,” Miller-Osborn says. “We saw that with Maze, and we’re continuing to see that with Egregor.”As was true with Maze, Egregor is being sold as a ransomware-as-a-service (RaaS), with the gang selling it or renting it to other people to use maliciously. Some of the same affiliates of Maze have shifted over to Egregor, “so it seems that will be the next big thing post-Maze until someone else gets wise and comes up with a more creative variant,” Miller-Osborn says.How to defend against EgregorWhen it comes to protecting against the double ransom component of Egregor, stronger protections can help, Miller-Osborn says. “Ransomware typically is not particularly complicated. It’s not super-stealthy malware in most cases.” A lot of ransomware infections come from phishing. “It remains hands-down the most common infection vector,” so better protections and training around phishing could help. “Be careful about opening those emails; be careful about clicking on those links. It’s the same kind of thing we say constantly, but that’s the simplest thing you can do to avoid a ransomware attack.”“Internally there are some things companies can do in keeping their most sensitive data in enclaves,” Miller-Osborn said, “basically not having a flat network and recognizing what the most sensitive or potentially catastrophic loss data is.” For the most sensitive data, organizations should consider having an extra sensor, with extra monitored higher-level security controls than you might have for other parts of the network, she recommends. “Obviously, all of that costs money and is non-trivial.”Any organization’s highly sensitive data will also likely be the target of corporate or state-sponsored espionage threats, so investing in the protection of those kinds of records is just overall a good idea. “The same kind of sensitive data that the ransomware actors are potentially going after and exfiltrating can also be the same kind of data that an espionage motivated threat would be interested in,” says Miller-Osborn. “So just having that data better protected and harder to access is good.”With training and increased network protection, it is possible to stop and block ransomware, Miller-Osborn says. “It just involves having the right security components configured properly and in the right places. It’s a security posture design thing.” In terms of Egregor’s connection to the Maze group, “We don’t have a definitive smoking gun, but a lot of little things lead us to believe it’s the same people,” Miller-Osborn says. It’s not uncommon to see this with commodity malware, where a group will claim to shut down only to pop up later as a rebranded version, and it’s the same person or people. “It looks like they do that because there is too much attention on them. There’s too much press. There’s too much law enforcement looking for them,” she says. “All they’re trying to do is just separate themselves from that previous family, for whatever reason.”Unfortunately, this new era of highly damaging ransomware typified by the Egregor malware’s rise won’t end anytime soon. “This is just going to continue. I think we’re going to see more actors, especially on the criminal side of the house, starting to take advantage of this. They recognize how much money they can potentially make doing it.”Editor’s note: This article, originally published in January 2021, has been updated to include information on the take-down of the Egregor group. Related content news Amazon debuts biometric security device, updates Detective and GuardDuty Amazon’s latest security offerings, announced at its re:Invent conference, cover everything from advanced biometrics to new tools for defeating runtime and cloud threats, including identity and access management (IAM) capabilities. By Jon Gold Nov 29, 2023 3 mins Biometrics Security Monitoring Software Threat and Vulnerability Management news Almost all developers are using AI despite security concerns, survey suggests About 96% of developers are using AI tools and nearly eight out of 10 coders are bypassing security policies to use them, while placing unfounded trust into AI’s competence and security, according to the report by Snyk. By John Mello Jr. Nov 29, 2023 4 mins Development Tools Security Practices Supply Chain news FBI probes Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe