Sophos researchers have taken a close look at the egregor ransomware. Is the ransomware the secret heir to Maze?
The report “Egregor ransomware: Maze's heir apparent,” relies on several incidents Egregor has been involved in since September. Among other things, Sophos researchers found:
- Different tactics, techniques and procedures (TTPs) for attacks by different authors, which show how much criminal RaaS customers can vary their attack approaches and thus make defense protection more difficult
- Similarities to Maze ransomware, such as: B. the use of the ChaCha and RSA encryption algorithms
- Connections between Egregor and Sekhmet (Egregor is a derivative of Sekhmet)
- Similarities to Ryuk ransomware attacks. In an incident investigated by the Sophos Rapid Response team, the use of Cobalt Strike, the copying of files to the C: \ perflogs directory, and the use of SystemBC - a malicious Tor network proxy - are consistent with the behavior observed during a Ryuk Attack in September 2020
Sean Gallagher, Senior Security Researcher at Sophos explains
“The results show how difficult it can be for IT security teams to defend themselves against ransomware-as-a-service attacks, as ransomware operators often rely on multiple distribution channels for malware to reach their victims. This creates a more diverse attack profile that is more difficult to predict. "
TTPs of ransomware types increased significantly
The number of tactics, techniques and procedures (TTPs) used by each type of ransomware has increased significantly, according to the researchers. A well thought out defense strategy is therefore essential. "Given that the group behind Egregor claims to be selling stolen data if the ransom is not paid, just having a good backup of organizational data is not enough to defuse ransomware," said Gallagher. "Blocking common exfiltration routes for data - for example preventing Tor connections - can make it more difficult to steal data." The best defense, however, is to prevent attackers from gaining a foothold in the network just as important as the use of a team of threat hunting experts. "
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.