Security experts are warning that a new ransomware group is rapidly escalating threat activity, with double extortion attacks on scores of victims so far in Q4.
The Egregor group first came to light with an attack on Barnes & Noble and video game developers Ubisoft and Crytek back in October, according to Digital Shadows.
In fact, the group has been active since September, when it compromised 15 victims. Then came a massive 240% spike in numbers, with 51 organizations hit the following month. As of November 17, it had added a further 21 victims.
According to the security vendor, a plurality of Egregor victims come from the industrial goods and services sector (38%), and the vast majority so far (83%) have been US-based.
The malware itself has been designed with multiple anti-analysis measures built in, such as code obfuscation and packed payloads, Digital Shadows claimed.
“More specifically, Windows application programming interfaces (APIs) are leveraged to encrypt the payload data. Unless security teams can present the correct command-line argument, then the data cannot be decrypted, and the malware cannot be analyzed,” it added.
“When the correct command-line argument is presented, the malware executes by injecting into iexplore.exe process, encrypting all text files and documents, and enclosing a ransom note within each folder that has an encrypted file. This process includes files on remote machines and servers through checks on LogMeIn event logs.”
Like many groups operating today, the actors behind Egregor maintain a dark web site on which they post data stolen from victims in a bid to force a ransom payment. In this respect it has followed the lead of the infamous Maze group, which ceased operations in October.
For example, it posted 200MB of data on in-game assets from Ubisoft and claimed to have source code from an unreleased title, Watchdogs: Legion. In the case of Crytek, 400MB of data was confirmed stolen related to titles Warface and Arena of Fate, Digital Shadows noted.