# Cybereason vs. Egregor Ransomware **cybereason.com/blog/cybereason-vs-egregor-ransomware** Written By Cybereason Nocturnus November 26, 2020 | 5 minute read **Research by: Lior Rochberger** ----- Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games [industry giants Crytek and Ubisoft.](https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/) [Similar to the Maze ransomware, Egregor’s operators run an extortion ransomware operation, where the](https://nest.cybereason.com/blog/threat-spotlight-analyzing-and-detecting-maze-ransomware-4) data is stolen and stored on the attacker’s servers before it is encrypted on the users machine. Egregor is probably the most aggressive ransomware family in terms of negotiation with the victims. Its operators give only 72 hours to contact them. If the ransom is not paid, the data is released to the public via the attacker’s website, “Egregor News.” _Cybereason Blocks Egregor Ransomware_ The ransomware payment is negotiated and agreed upon via a special chat function assigned to each victim. The payment is received in bitcoin: _Egregor News website - published data_ Egregor is believed to be a relative of another ransomware called Sekhmet that emerged in March, 2020, which shares a lot of similarities with Egregor and also some similarities with Maze. Egregor is still quite a mystery when it comes to how it is delivered in the attack and who is behind the campaign. Not much is known at this point, but speculation includes theories that Egregor is the “heir to [Maze,” after that threat actor announced they were shutting down their operations in late October. This](https://www.bleepingcomputer.com/news/security/maze-ransomware-shuts-down-operations-denies-creating-cartel/) assumption is supported by the close similarities between the two - and of course the timing. ## Key Findings **• Emerging Threat: In a short amount of time, Egregor ransomware caused a great damage and made** headlines across the world. ----- **• High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive** potential of the attacks. **• Low-and-Slow: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move** laterally throughout the organization, carrying out a fully-fledged hacking operation. **• Infection Vector via Commodity Malware: The infection seems to start with commodity malware. Based** on a preliminary reconnaissance of data sent to the C2 servers, the operators can choose to escalate to an interactive hacking operation, which ultimately causes a mass ransomware infection. **• Detected and Prevented:** [The Cybereason Defense Platform fully detects and prevents the Egregor](https://www.cybereason.com/platform) ransomware. ## Breaking Down the Attack ----- _Egregor infection chain_ ## From Commodity Malware Infection to Ransomware Since Egregor is a relatively new player in the game, not many incidents involving it are covered and detailed here, including information about the infection chain. The information available so far suggests that the initial infection starts with a phishing email that contains a malicious macro embedded in an attached document. [The macro code downloads a commodity malware, either Qbot](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot) [icedID or](https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid) [Ursnif, which provides capabilities](https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi) for stealing sensitive information that will later be used for lateral movement. This technique, which involves using a commodity malware as initial infection and to eventually deliver ransomware, was observed before with [Ryuk ransomware and Maze.](https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware) ----- Later in the attack, a [CobaltStrike beacon is installed on the infected machine and the attack shifts to an](https://www.cobaltstrike.com/) [interactive hacking operation. The attacker uses tools for reconnaissance such as Adfind and](http://www.joeware.net/freetools/tools/adfind/) [Sharphound to](https://github.com/BloodHoundAD/SharpHound) gather information about users, groups, computers and so on. This information will assist in the lateral movement phase and also in performing privilege escalation, as Egregor compromises Active Directory in order to become domain admin. In this stage, after the malware settles on the victim’s machine, it starts communications to the C2 in order to download additional components including scripts, DLLs and other files that will be used eventually to exfiltrate data and encrypt files. Among the dropped files observed: **A batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload.** **[A Zip file contains a binary file that is an RClone client, renamed svchost, and RClone config files](https://rclone.org/)** (webdav, ftp and dropbox) used later for exfiltration. _VT screenshot of the RClone executable and configuration file_ CobaltStrike creates a service that runs an encoded PowerShell command that executes shellcode that creates connection to amajai-technologies[.]industries: ----- _Decryption of the Shellcode_ After dropping the files needed for the attack, the attackers “prepare the ground” and undertake a final procedure meant to avoid detection and prevention. The attacker creates a Group Policy Object (GPO) to disable Windows Defender and tries to take down any anti-virus products. ## Egregor Execution As described above, the operators of Egregor deploy the ransomware payload after collecting the sensitive information and setting the GPO to evade detection and prevention. To deploy the ransomware, they execute the dropped batch file that, as mentioned, is used to download and execute the ransomware payload from a remote server: _The content of the batch file_ The Egregor payload can only be decrypted if the correct key is provided via command line argument to the Rundll32 process, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided. In order to execute the ransomware and decrypt the blob of code inside of it, the operators provide the batch file with the key “-passegregor10” which resolves in the ransomware running and encrypting files: ----- _Batch file execution as shown in the Cybereason Defense Platform_ The encrypted file names are appended with a string of random characters as the new extension. For example, it renames a file named “My_files.zip” to “My_files.zip.IAsnM”, “My_files2.zip” to “My_files2.zip.WZlF” and so on. Also, the threat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in the figure below: _Encrypted files_ ----- _A message shown the the user_ ## Connection to Sekhmet and Maze Egregor shares code similarities with Sekhmet ransomware, as well as the notorious Maze ransomware. Besides code similarities, the tree ransomware has a lot in common, including behaviour and characteristics: **Maze** **Sekhmet** **Egregor** **First seen** May 2019 March 2020 July 2020 **File type** DLL/EXE DLL DLL **Encrypted** **Files** **Extension** **Encryption** **Algorithm** Files are appended with random extensions, consisting of random characters Files are appended with random extensions, consisting of random characters Files are appended with random extensions, consisting of random characters ChaCha & RSA ChaCha & RSA ChaCha & RSA ----- **Ransom** **Demand** **Message file** **name** DECRYPT-FILES.txt RECOVER-FILES.txt RECOVER-FILES.txt **Damage** Encryption and extortion Encryption and extortion Encryption and extortion **Cyber** **Criminal** **Contact** **Website** **name** Tor browser website Tor browser website Tor browser website Maze News Leaks, Leaks, Leaks. Egregor News Another way to search for the connection between the three is to look at the infrastructure. The IP address [185.238.0[.]233 different binaries, Zip files and scripts:](https://www.virustotal.com/gui/ip-address/185.238.0.233/relations) - Maze ransomware binaries - Egregor ransomware binaries - Zip files contains the RClone binary and configuration files The IP address is referred to by different scripts including the batch files that download the Egregor payload: _Chart describing the different samples found on 185.238.0[.]233_ ----- It is also worth mentioning the similarities in the ransom notes of the three. They have a very similar structure, and even some “copy-paste” parts: _Comparison between the three ransomware’s ransom notes_ In addition to the Maze and Egregor binaries found on this specific server, other samples were found on the [server, related to Prolock ransomware, as analyzed in this report.](https://www.intrinsec.com/egregor-prolock/) ## Cybereason Detection and Prevention ----- Cybereason is able to both detect and prevent the execution of Egregor, Sekhmet and Maze using the NGAV component. When the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect the attempt to encrypt files and raise a Malop for it: _Ransomware malop triggered due_ _to the malicious activity_ Using the Anti-Malware feature with the right configuration (listed in the recommendations below), Cybereason will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files: _Anti Malware alert - Disinfecting the b.dll (Egregor payload)_ _User notification, Blocking the_ _execution of the ransomware in the endpoint_ ## Indicators of Compromise **IOC** **Type** **Description** ----- f7bf7cea89c6205d78fa42d735d81c1e5c183041 5a346fb957abeba389424dc57636edcacc58b5ba 901cee60fba225baf80c976b10dfa1684a73f5ee a6259615ea10c30421e83d20f4a4b5f2c41b45b8 03cdec4a0a63a016d0767650cdaf1d4d24669795 4ea064f715c2a5f4ed68f57029befd8f406671dd ac634854448eb8fcd3abf49c8f37cd21f4282dde 7bc6c2d714e88659b26b6b8ed6681b1f91eef6af 0579da0b8bfdfce7ca4a45baf9df7ec23989e28b 3a33de9a84bbc76161895178e3d13bcd28f7d8fe f7bf7cea89c6205d78fa42d735d81c1e5c183041 986f69a43e0bf174f73139785ec8f969acf5aa55 f1603f1ddf52391b16ee9e73e68f5dd405ab06b0 5a346fb957abeba389424dc57636edcacc58b5ba 901cee60fba225baf80c976b10dfa1684a73f5ee a6259615ea10c30421e83d20f4a4b5f2c41b45b8 4ea064f715c2a5f4ed68f57029befd8f406671dd ac6d919b313bbb18624d26745121fca3e4ae0fd3 95aea6b24ed28c6ad13ec8d7a6f62652b039765e a786f383dfb90191aa2ca86ade68ee3e7c088f82 631924a3567390a081dbd82072a6fc3a185c5073 1be22505a25f14fff1e116fafcaae9452be325b1 a2d5700def24c3ae4d41c679e83d93513259ae4a 45.153.242.129 185.238.0.233 49.12.104.241 SHA1 Egregor DLL SHA1 Egregor batch file IPs C2 34a466a0e55a930d8d7ecd1d6e6c9c750082a5fe SHA1 Zip containing RClone 2edaa3dd846b7b73f18fa638f3e1bc3a956affa4 SHA1 Encoded PowerShell ## MITRE ATT&CK BREAKDOWN ----- **Initial** **Access** **Privilege** **Escalation** **Defense** **Evasion** **Group Policy** **Modification** **Impair** **Defenses** **Impair** **Defenses:** **Disable or** **Modify Tools** **Command** **and** **Control** **Ingress** **[Tool](https://attack.mitre.org/techniques/T1105/)** **Transfer** **Discovery** **Lateral** **Movement** **Account** **Discovery** **Domain** **[Trust](https://attack.mitre.org/techniques/T1482/)** **Discovery** **Permission** **[Groups](https://attack.mitre.org/techniques/T1069/)** **Discovery** **Exfiltration** **Impact** **[Phishing](https://attack.mitre.org/techniques/T1566/)** **Valid** **Accounts** About the Author **Cybereason Nocturnus** **Remote** **Services** **Exfiltration** **[Over Web](https://attack.mitre.org/techniques/T1567/)** **Service** **Exfiltration** **[Over Web](https://attack.mitre.org/techniques/T1567/002/)** **Service** **Data** **[Encrypted](https://attack.mitre.org/techniques/T1486/)** **for Impact** **[Masquerading](https://attack.mitre.org/techniques/T1036/003/)** **Permission** **Groups** **[Discovery:](https://attack.mitre.org/techniques/T1069/001/)** **Local** **Groups** The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. [All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus) -----