• CERTIFICATE
    • Eminent CIOs of India
    • Most Trusted Companies
    • Most Admired Brands
    • The most influential CMOs
  • SYNDICATION
    • AMD
    • DELL TECHNOLOGIES
    • HITACHI
    • LOGMEIN
    • MICROSOFT
    • RIVERBED
    • STORAGECRAFT
    • THALES
  • EVENTS
  • GO DIGITAL
  • INFOGRAPHICS
  • PRESS
    • Press Release PR News Wire
    • Press Release Business Wire
    • GlobeNewsWire
  • SPECIAL
    • WHITE PAPER
    • TECHNOMANIA
    • SME
    • SMART CITY
    • SERVICES
    • EDITOR SPEAK
    • CSR INITIATIVES
    • CHANNEL GURU
    • CHANNEL CHIEF
    • CASE STUDY
  • TECHTREND
    • VAR PANCHAYAT
    • TELECOM
    • SOFTWARE
    • POWER
    • PERIPHERALS
    • NETWORKING
    • LTE
    • CHANNEL BUZZ
    • ASK AN EXPERT
  • SUBSCRIBE
  • Apps
  • Game
  • KDS
  • Security
  • Telecom
  • WFH
  • Subscriber to Newsletter
  • September Issue
  • Blogs
  • Vlogs
  • Faceoff
SNA

HOME
NEWS

SonicWall Capture Labs Threat Research Team Warns of Egregor Ransomware Attacks

SonicWall Capture Labs Threat Research Team Warns of Egregor Ransomware Attacks

SonicWall Capture Labs Threat Research team warns that Egregor Ransomware attacks will intensify. This ransomware steals system information, banking, online account credentials, deploys keyloggers, and remote backdoors on Windows client and server software.

 

The library (Dll) is highly obfuscated and encrypted using Salsa20, ChaCha, and Rabbit stream ciphers along with RSA public-key cryptography. Egregor releases stolen data on the Egregor News website to increase pressure on the victims to pay the ransom. Egregor News is both used publicly and on the Dark Web aka the Darknet. Egregor News is used to post the names and domains, along with data sets of the Egregor victims. The financial and tech sectors are at the top of the target list because they are the most profitable this year and will be well into the future.

 

Egregor targets systems within the Five-Eyes: Australia, Canada, New Zealand, United Kingdom, and the USA (North America). Other related targets are in South America, South Africa. Mostly countries and territories of the United States and their partners.

 

If we were to count the potential Infections, we would have to take the countries populations into account. Australia 24.99 Million, Canada 37.59 Million, New Zealand 4.886 Million, The United Kingdom 66.65 Million and The United States 328.2 Million. Total population among the Five-Eye countries: 462.3 Million not counting South America and Africa. Data suggests that only about 50% of the population is connected and online. So potentially Egregor could infect up to 230 million Windows clients and/or servers.

 

Kmart and Vancouver Metro were recently attacked and this type of ransomware is expected in the future. Egregor Ransomware is uniquely assembled. Employing obfuscation and anti-analysis techniques. In order to fully decrypt and deploy the payload, the password associated with the sample must be provided at runtime.

 

Egregor interlinks stream ciphers-(symmetric-key algorithms): ChaCha-(2008), Salsa20-(2005), and Rabbit-(2003) in such a way combined with RSA-(Rivest-Shamir-Adleman) public-key cryptography that if you don't have the password to the libraries (.dll, aka payloads) a Reverse Engineer, Security Analyst, Security Researcher will never be able to reverse engineer the payload. The community is linking Egregor with Maze Ransomware, where Egregor's base source code derives from.

 

Debasish Mukherjee, VP, Regional Sales - APAC at SonicWall, says, “Ransomware is one of the most prolific criminal business models in existence today, mostly thanks to the multimillion-dollar ransom criminals demand from individuals and corporations. Egregor is a RaaS (Ransomware as a Service) that’s why they have a news website on the public facing web and on the dark web. The financial and tech sectors will always be at the top of the target list because they are the most profitable. SonicWall Gateway Anti-Virus (GAV) provides protection against this threat.”

 

Attackers have to create a chain of events in order to leverage a library (Dll). This chain of events is called the infection chain. Egregor, will spread through the following chain:

 

Stage 1: Phishing campaigns; emails often include an attachment or implant (executable file). Although it can be difficult to identify suspicious files at the first glance-as they are commonly hidden within clandestine tricks only known to hackers and malware authors.

 

Stage 2: The malware documents, attachments or implants from above carry nasty virii. Some of which are Qbot, Ursnif, and icedID. All three are trojans designed to steal data and they also spread other payloads; in the case of the Egregor campaign it spreads CobaltStrike. CobaltStrike is penetration software and one of the most powerful network attack kits available.

 

Stage 3: Command and Control Servers - attackers will send commands to systems compromised by malware and receive stolen data from a targeted system.

 

4: Cyber attackers will finally reach the library stage or other payloads. Usually in the form of .bat, .zip, .dll, .cfg, .obj, .bin, .exe. Most of this stage deals with injection into a piece of running software on the server or client.

 

All of the files will be encrypted but this really depends on the parameters used during installation. Egregor’s payload can accept several command line arguments, including:

 

-fast: Is used to limit file size for encryption.

-full: performs encryption of the full victim system (including local and network drives).

-multiproc: multi-process support.

-nomimikatz: Mimikatz is an open-source toolkit.

-nonet: does not encrypt network drives.

-path: specific folder to encrypt.

-target: target extension for encryption.

-append: file extension to append to encrypted files.

-norename: does not rename the files it encrypts.

-greetings: prepends the name to the ransom note.

-samba: provide shared access to files, printers, and serial ports between nodes.

-killrdp: remote desktop protocol

 

Further Debasish mentioned that, “Organizations with traditional cybersecurity solutions have realized that shifting to a Boundless Cybersecurity model is the future of securing businesses from vulnerability. Cyber-attacks are constantly evolving and require much more sophisticated capability like use of deep tech such as AI and ML to recognize attacks rather than defending a known vector.”

 

So, here’s the solution:

 

Use our signature GAV: Egregor.RSM (Trojan)

Keep operating system patches up-to-date.

Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.

Enforce a strong password policy and implement regular password changes.

Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.

Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.

Disable unnecessary services on agency workstations and servers.

Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).

Monitor users' web browsing habits; restrict access to sites with unfavorable content.

Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).

Scan all software downloaded from the Internet prior to executing.

Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
WhatsApp asked to block users illegally selling Apna College videos
Technology

WhatsApp asked to block users illegally selling Apna College videos

by VARINDIA 2023-10-02
Trend Micro Ranks #1 in Attack Protection
Technology

Trend Micro Ranks #1 in Attack Protection

by VARINDIA 2023-09-28
Black Box Cybersecurity Wins 17 New Marquee US Customers
Technology

Black Box Cybersecurity Wins 17 New Marquee US Customers

by VARINDIA 2023-09-27
SOFTWARE
View All
Kuehne+Nagel and Capgemini collaborate to deliver an end-to-end supply chain capability
Technology

Kuehne+Nagel and Capgemini collaborate to deliver an end-to-end supply chain capability

by VARINDIA 2023-09-27
Bain & Company teams up with Microsoft to help clients accelerate and scale AI adoption
Technology

Bain & Company teams up with Microsoft to help clients accelerate and scale AI adoption

by VARINDIA 2023-09-27
Newgen and Coforge to deliver transformative insurance lifecycle management solutions
Technology

Newgen and Coforge to deliver transformative insurance lifecycle management solutions

by VARINDIA 2023-09-25
START - UP
View All
Homegrown app Dunzo to raise $35 million from Reliance & Google
Technology

Homegrown app Dunzo to raise $35 million from Reliance & Google

by VARINDIA 2023-09-26
ideaForge and GalaxEye Join Forces to Build UAV FOPEN Radar Technology
Technology

ideaForge and GalaxEye Join Forces to Build UAV FOPEN Radar Technology

by VARINDIA 2023-09-26
Datacultr expands its reach to LATAM and Africa Regions
Technology

Datacultr expands its reach to LATAM and Africa Regions

by VARINDIA 2023-09-05

Tweets From @varindiamag

Nothing to see here - yet

When they Tweet, their Tweets will show up here.

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
Lumina Datamatics announces AI services for publishers

Lumina Datamatics announces AI services for publishers

by VARINDIA
Qualcomm announces its next generation XR and AR platforms

Qualcomm announces its next generation XR and AR platforms

by VARINDIA
Genpact expands its relationship with Amazon to transform financial crime risk operations

Genpact expands its relationship with Amazon to transform financial crime risk operations

by VARINDIA
Pocket FM Surpasses 100 Million Downloads on Google Play Store

Pocket FM Surpasses 100 Million Downloads on Google Play Store

by VARINDIA
OpenAI's ChatGPT now speaks in 5 different voices

OpenAI's ChatGPT now speaks in 5 different voices

by VARINDIA
VVDN Technologies and Axiado partner to reshape the server technology landscape

VVDN Technologies and Axiado partner to reshape the server technology landscape

by VARINDIA
Vertiv Provides Flexible Edge and Smart IT Power Backup in India

Vertiv Provides Flexible Edge and Smart IT Power Backup in India

by VARINDIA
Accenture Invests in Writer to Accelerate Enterprise Use of Generative AI

Accenture Invests in Writer to Accelerate Enterprise Use of Generative AI

by VARINDIA
VIAVI wins funding for three projects in DSIT ONE competition

VIAVI wins funding for three projects in DSIT ONE competition

by VARINDIA
Comviva partners with XoXoday to revolutionize loyalty experiences

Comviva partners with XoXoday to revolutionize loyalty experiences

by VARINDIA
×

Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.

  • Distributors & VADs
  • Industry Associations
  • Telco's in India
  • Indian Global Leaders
  • Edit Calendar
  • About Us
  • Advertise Us
  • Contact Us
  • Disclaimer
  • Privacy Statement
  • Sitemap

Copyright varindia.com @1999-2023 - All rights reserved.