What is Egregor?Egregor is one of the most rapidly growing ransomware families. Its name comes from the occult world and is defined as \u201cthe collective energy of a group of people, especially when aligned with a common goal,\u201d according to Recorded Future\u2019s Insikt Group. Although descriptions of the malware vary from security firm to security firm, the consensus is that Egregor is a variant of the Sekhmet ransomware family.It arose in September 2020, at the same time the Maze ransomware gang announced its intention to shut down operations. Affiliates who were part of the Maze group appear, however, to have moved on to Egregor without skipping a beat.Insikt and Palo Alto Networks\u2019 Unit 42 think Egregor is associated with commodity malware such as Qakbot, which became prominent in 2007 and uses a sophisticated, evasive worm to steal financial credentials, as well as other off-the-shelf malware such as IcedID and Ursnif. These pieces of malware help attackers gain initial access to victims\u2019 systems.All security researchers seem to agree with Cybereason\u2019s Nocturnus Team that Egregor is a rapidly emerging, high-severity threat. According to security firm Digital Shadows, Egregor has claimed at least 71 victims across 19 different industries worldwide.Update: On February 9, a joint operation by US, Ukrainian, and French authorities resulted in the arrest of gang members behind Egregor as well as associates who were part of their affiliate program. The leader of the Egregor group was reportedly among those arrested. The group's website was also taken offline. It is too early to know whether this action has taken Egregor down permanently.Egregor\u2019s double extortion undercuts traditional defensesLike most current ransomware variants used in the wild, Egregor uses \u201cdouble extortion,\u201d relying on a \u201cHall of Shame\u201d or publicly accessible stolen data on leak pages to pressure victims into paying the ransom. Among the high-profile Egregor victims are Kmart, the Vancouver metro system, Barnes and Noble, video game developers Ubisoft and Crytek, and the Dutch human resources firm Randstad, from which the attackers stole data, a portion of which they published to the web.Like many internet criminals, Egregor attackers have considered healthcare facilities and hospitals to be fair game during the coronavirus crisis. One health care provider that had to reduce some functions due to an Egregor ransomware attack is GBMC Healthcare in Maryland, which got hit in early December, 2020. The company said it had robust protections in place but nonetheless was forced to postpone some elective procedures.The double extortion, or double ransom, characterizes this new breed of ransomware, undercutting the previous defense that most companies could deploy, which is to keep robust backups if attackers encrypted files. Egregor \u201cjust emerged really a couple of months ago and especially in September where it really started hitting all over the world, basically around the same time just when Maze ransomware operators\u201d supposedly shut down, Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, tells CSO.\u201cIf you have good offline backups and you know they work, if you're hit by ransomware, it's not that big of an issue,\u201d she says. \u201cYou take a hit for business purposes and downtime potentially, but if you have good backups, you've already kind of built that into your recovery plan.\u201dNow groups like Egregor have \u201cgotten wise to that idea. So, they're saying, \u2018Well, we've already stolen your data, so you have to pay us for that. Or we're just going to release it publicly and potentially ruin your business, or at least damage your business's reputation.\u2019 \u00a0That takes away the good backup story that has worked for so long,\u201d Miller-Osborn says. \u201cWe saw that with Maze, and we\u2019re continuing to see that with Egregor.\u201dAs was true with Maze, Egregor is being sold as a ransomware-as-a-service (RaaS), with the gang selling it or renting it to other people to use maliciously. Some of the same affiliates of Maze have shifted over to Egregor, \u201cso it seems that will be the next big thing post-Maze until someone else gets wise and comes up with a more creative variant,\u201d Miller-Osborn says.How to defend against EgregorWhen it comes to protecting against the double ransom component of Egregor, stronger protections can help, Miller-Osborn says. \u201cRansomware typically is not particularly complicated. It\u2019s not super-stealthy malware in most cases.\u201dA lot of ransomware infections come from phishing. \u201cIt remains hands-down the most common infection vector,\u201d so better protections and training around phishing could help. \u201cBe careful about opening those emails; be careful about clicking on those links. It\u2019s the same kind of thing we say constantly, but that\u2019s the simplest thing you can do to avoid a ransomware attack.\u201d\u201cInternally there are some things companies can do in keeping their most sensitive data in enclaves,\u201d Miller-Osborn said, \u201cbasically not having a flat network and recognizing what the most sensitive or potentially catastrophic loss data is.\u201d For the most sensitive data, organizations should consider having an extra sensor, with extra monitored higher-level security controls than you might have for other parts of the network, she recommends. \u201cObviously, all of that costs money and is non-trivial.\u201dAny organization\u2019s highly sensitive data will also likely be the target of corporate or state-sponsored espionage threats, so investing in the protection of those kinds of records is just overall a good idea. \u201cThe same kind of sensitive data that the ransomware actors are potentially going after and exfiltrating can also be the same kind of data that an espionage motivated threat would be interested in,\u201d says Miller-Osborn. \u201cSo just having that data better protected and harder to access is good.\u201dWith training and increased network protection, it is possible to stop and block ransomware, Miller-Osborn says. \u201cIt just involves having the right security components configured properly and in the right places. It\u2019s a security posture design thing.\u201dIn terms of Egregor\u2019s connection to the Maze group, \u201cWe don\u2019t have a definitive smoking gun, but a lot of little things lead us to believe it\u2019s the same people,\u201d Miller-Osborn says. It\u2019s not uncommon to see this with commodity malware, where a group will claim to shut down only to pop up later as a rebranded version, and it\u2019s the same person or people. \u201cIt looks like they do that because there is too much attention on them. There\u2019s too much press. There\u2019s too much law enforcement looking for them,\u201d she says. \u201cAll they're trying to do is just separate themselves from that previous family, for whatever reason.\u201dUnfortunately, this new era of highly damaging ransomware typified by the Egregor malware's rise won\u2019t end anytime soon. \u201cThis is just going to continue. I think we're going to see more actors, especially on the criminal side of the house, starting to take advantage of this. They recognize how much money they can potentially make doing it.\u201dEditor's note: This article, originally published in January 2021, has been updated to include information on the take-down of the Egregor group.