Ransomware mutates as quickly as it seems the coronavirus is developing new strains. The Federal Bureau of Investigations first observed Egregor ransomware in September 2020. Just a few months later, the bureau warned of an increased threat to businesses from Egregor ransomware operators.
As of January 6 2021, this ransomware variant had claimed over 150 victims worldwide, according to the FBI. Threat actors exfiltrate data from, and encrypt files on, the compromised network. The ransomware leaves a note instructing victims to communicate with their attackers via online chat. Or the actors will utilize the victim’s own machines to print a ransom note. The actors threaten to publish victim data to a public site.
Using a ransomware as a service model, Egregor poses a particular challenge. Multiple different individuals play a role in the attack, per the FBI. This means “the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.”
The mechanisms used to exploit the victim network include:
- Targeting business network and employee personal accounts that share access with business networks or devices
- Phishing emails with malicious attachments to gain access to network accounts
- Exploiting Remote Desktop Protocol (RDP) or Virtual Private Networks to gain access
- Moving laterally and escalating privileges inside networks post-RDP exploitation
Egregor Ransomware’s Reach
The ransomware is named after an occult term “meant to signify the collective energy or force of a group of individuals.” This variant has targeted “at least 69 companies in 16 countries around the world…with the operators demanding $4 million or more from victims,” Bank Info Security reported.
The Egregor malware has wreaked havoc on a variety of businesses in the past five months including:
- Vancouver, Canada, public transportation agency
- A Dutch human resources and staffing firm
- Retailers Barnes & Noble and Kmart
- Gaming software provider Ubisoft
In its Private Industry Notification, the FBI discourages victims from paying any ransom; “Paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
What to Do about Egregor Ransomware?
There are several strategies the business can take to mitigate ransomware risk. Backing up critical data is essential. This data needs backing up offline and in the cloud too. Additionally, secure business backups and keep them current. It’s not going to do a firm much good to only have a backup from 2017 to go from in the event of a ransomware attack. Separate backups the source data and ensure they can’t be modified or deleted.
Installing and regularly updating anti-virus and anti malware protections for your software on all hosts is also important. With more employees working from home now, this is a step that can’t be overlooked. With cloud-based solutions and remote monitoring and management, the business can ensure all users have the most recent software protections in place, wherever they are.
Implement policies and procedures requiring only secure network access to business systems as well. Educate employees about the need to avoid using public Wi-Fi networks and to secure their home routers. Plus, it never hurts to remind them not to click on unsolicited email links or attachments.
“Know where your critical data is housed,” SANS suggested as well. “Knowing where data is stored allows you to assess the impact of public release as well as recovery alternatives, possibly including paying the ransom.”
It’s also a good idea to have an incident reposes or crisis management plan in place. Knowing in advance who to contact and what your business plans to do in the event of a ransomware attack can expedite recovery.
Using two-factor authentication (2FA) can boost security too. We’ll talk more about that mitigation strategy next.
Secure Your RDP and More
Remote desk protocol (RDP) is not the only means of attack in this recent FBI advisory. Yet the Egregor threat is a reminder that RDP continues to be a major attack vector. With 2FA for network access onsite and via remote desktop protocol, the business significantly increases its security levels.
Weak or stolen passwords are a consistent problem for those trying to secure networks. Your users might also make the mistake of sharing the same personal information they use to make up their passwords on publicly-available social media channels.
Multifactor authentication helps control access. The threat actor can’t get in using the illicitly attained (or too easily guessed) access credentials. They would also need access to the user’s personal device to receive the two-factor authentication code.
Gatekeeper™ from Calyptix provides the small business with a 2FA security layer and centralized user access management. Reduce risk of successful ransomware attacks with the AccessEnforcer 5.0.2 all-in-one solution. Our Geo Fence feature further bolsters protections by allowing the customer to easily set up rules to block access from locations that present a greater threat. SMBs can have Zero Trust Network Access too. Learn more!