Forensic analyses since September have shown the switch to code that is similar to Egregor and Sekhmet.
Global threat hunting and intelligence firm Group-IB has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.
Egregor has been actively distributed since September 2020 and has so far hit at least 69 big companies in 16 countries. The biggest ransom demand detected by Group-IB team has been at US$4m worth of Bitcoin.
During recent incident response engagements, the firm’s team had noticed a significant change in QakBot operators’ tactics. The gang had started to deploy a new Egregor ransomware family. This ransomware strain first emerged in September 2020, but the threat actors already managed to affect game developers Crytek, booksellers Barnes & Noble, and most recently a retail giant Cencosud from Chile.
ProLock = Egregor
Analyses of attacks where Egregor was deployed revealed that the tactic, techniques and procedures used by the threat actors were almost identical to the ones used by the ProLock operators.
First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Egregor operators have been using Rclone for data exfiltration: same as with ProLock. The same tools and naming conventions have been used as well—for example md.exe, rdp.bat, svchost.exe.
Hence, with all of the above considered, Group-IB experts assess it is very likely that QakBot operators have switched from ProLock to Egregor ransomware.
Geography and victims
Instead of just encrypting compromised networks, Egregor operators leverage intimidation tactics and threaten to release sensitive info on the leak site they operate.
In less than three months Egregor operators have managed to successfully hit 69 companies around the world, with 32 targets in the US, seven victims in France and Italy each, six in Germany, and four in the UK.
Other victims were from the Asia Pacific, the Middle East, and Latin America. Egregor’s favorite sectors appear to be Manufacturing (28.9% of victims) and Retail (14.5%).
Inside Egregor
While Egregor operators operate similarly to those of ProLock, Egregor ransomware samples obtained during a recent incident response engagement have revealed that the executable code of Egregor is very similar to that of Sekhmet.
The two strains share some core features and use similar obfuscation techniques. Egregor source code bears similarities with Maze ransomware (which has announced its departure from the scene) as well. The decryption of the final payload is based on a command-line-provided password, so it has been impossible to analyze Egregor without command-line arguments provided by the attacker.
Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption. Experts said that, when hunting for Egregor, they watch for the use of CobaltStike and QakBot.
Commented Oleg Skulkin, Senior DFIR analyst, Group-IB: “Tactics, techniques and procedures observed are very similar to those seen in the past Qakbot’s Big Game Hunting operations. At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates.”
Learn more on CyberCrimeCon
Readers interested to learn more about ransomware operations and TTPs in 2020 can register now for Group-IB’s upcoming conference, CyberCrimeCon. The eighth edition of the event will be held on November 25-26, and will host participants from the financial and tech sectors; retail and industrial giants; law enforcement agencies, and will—in addition to two major streams (analytical and technological)— contain a Threat Hunting Game.
The conference’s speaker lineup includes representatives of Europol EC3, leading banks, FMCG companies, and independent researchers.