WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
First observed on September 25th, 2020, the Egregor ransomware variant has been making considerable strides in Maze’s wake, another ransomware threat actor that ceased operations in October of 2020.
Some security researchers have drawn many parallels between the two groups— including overlap in malware signatures, the victimology (with the majority of victims belonging to the Industrial Goods & Services Sector), and the practice of leaking company’s sensitive data on a dark web based “News” website.
While there is no way of verifying these claims, we can determine from an analysis of their activity and ransomware that Egregor has become the leading variant, with much potential to become a more significant threat to your organization in the coming months.
Egregor has had a very dynamic Q4. As of November 17th, 2020, the Egregor ransomware group has named 71 victims spanning across 19 different industry verticals. The level of sophistication of their attacks, adaptability to infect such a broad range of victims, and significant increase in their activity suggests that Egregor ransomware operators have been developing their malware for some time and are just now putting it to (malicious) use.
In terms of motives, Egregor’s double-extortion ransomware model proves them to be financially-motivated. Following this model, Egreggor completes a breach and then begins to release data easily traceable to the victim as proof while demanding a hefty ransom sum to be paid in exchange for not releasing more. While their ransomware model is consistent, Egregor’s victims may vary. Overall trends we found were that victims clustered in the Industrial Goods & Services sector (38%), and a vast majority were US-based companies (83%).
Egregor victims have increased 240% from September 25th (15 incidents) to October 31st (51 incidents) and 43% as of November 17th, bringing total incidents to 71.
Egregor first caught the cybersecurity world’s attention in October with their attack on Barnes & Noble and video game producers Ubisoft and Crytek. From Barnes & Noble, Egregor operants release two Windows Registry hives— contending they contained highly sensitive financial data about the bookseller within.
In the attack against the video game industry giant, Ubisoft, Egregor claimed to have stolen source code for a not yet released Ubisoft game “Watchdogs: Legion.” While there was no confirmation from Ubisoft employees on the matter, the gang released 200MB of data about in-game assets. It is possible this information could’ve been obtained from some other source online. Still, given the company’s history with threat actor successes from email phishing— gaining access to data through emails sent to employees with malicious attachments or links to trigger the malware on the target system— it is highly likely that this was a targeted success.
Another massive gaming company, Crytek, confirmedthey had lost almost 400MB of data relating to their first-person shooter game, “Warface,” and the now-closed multiplayer online battle game, “Arena of Fate.” Given the demonstrated level of increased activity and apparent technical sophistication, this is realistically possible. Egregor attacks will likely continue over the short-term future.
Since the Egregor ransomware group has only been active as of September 25th, there is limited information about their common tactics, techniques, and procedures (TTP’s).
So far, our researchers have found that the Egregor malware maintains multiple anti-analysis techniques such as code obfuscation and packed payloads, making it challenging to analyze the malware. More specifically, Windows application programming interfaces (APIs) are leveraged to encrypt the payload data. Unless security teams can present the correct command-line argument, then the data cannot be decrypted, and the malware cannot be analyzed.
When the correct command-line argument is presented, the malware executes by injecting into iexplore.exe process, encrypting all text files and documents, and enclosing a ransom note (pictured below) within each folder that has an encrypted file. This process includes files on remote machines and servers through checks on Logmein event logs.
Regarding data leakage, the ransom note instructs Egregor ransomware victims to download the dark web browser TOR and contact their developers within three days. If the victim does not follow instructions and pay up, their company data will be published to the “Egregor News” data leak site (DLS) for public consumption.
Operators of other pieces of malware, such as the Quakbot (also known as Qbot), have taken notes from Egregor’s progress and evolved. Their banking trojan is suspected to have recently abandoned Prolock in favor of Egregor ransomware in its deployments.
Given their sophisticated technical capabilities to hinder analysis of malware and target a large variety of organizations across the ransomware landscape, we can only conclude that the Egregor ransomware group will likely continue in the future, posing more and more of a risk to your organization.
Knowing this can leave you or your organization feeling helpless, but more importantly, these attacks are by and large preventable. We’ve collected a list of their MITRE ATT&CK techniques and IOC’s and shared them at the end of this blog.
Tracking ransomware groups’ tactics and trends can be daunting, and it’s easy to get buried in all the information out there.
Looking to keep updated on threat actor activity as well as gain actionable insights from ransomware trends? SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) presents threat intelligence and assesses the risk certain actors pose to your industry, company, and assets. Look here for a trial of our product SearchLight.
If you’re a Digital Shadows (now ReliaQuest) client, you’ll be able to subscribe to the Egregor tag, or use this search term to set up alerts on new instances of Egregor victims:
https://portal-digitalshadows.com/search?types=INTEL_INCIDENT&sp=sortDate&q=Egregor&view=List
91[.]199[.]212[.]52 49[.]12[.]104[.]241 Crt[.]sectigo[.]com hxxp://49[.]12[.]104[.]241:81/78.bin hxxp://49[.]12[.]104[.]241/sm.dll hxxp://49[.]12[.]104[.]241:81/sm.dll 03cdec4a0a63a016d0767650cdaf1d4d24669795 069ef8443df750e9f72ebe4ed93c3e472a2396e2 072ab57f9db16d9fb92009c8e10b176bd4a2eff01c3bc6e190020cf5a0055505 07d4bcb5b969a01fb21dc28e5cb1b7ceb05f2912 16a9c2917577e732cd6630b08e248443 1a722cde21a4338b26bc37401ef963022d97cea141c985e6615a10287f8d02ff 1cce0c0d67fe7f51f335a12138698403 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6 2d01c32d51e4bbb986255e402da4624a61b8ae960532fbb7bb0d3b0080cb9946 386cf4e151bc7510c3333eb1a5c96ab1b7becd8cfb94bcb76e93458078daf66f 3dba9fbef8f8a42ecfa65022b8a3c54738d15ef67c666272078b58b3c9a0a414 410afc5daebd7b39410b046286b814bb5fb5f9139167cd310bc59cc4461d4083 43445fbe21cf3512724646a284d3e5d7 49b3d9c3bd6b6a13f89f0e849d80531454cc5cd259cbb7c8a806c67cd403575e 4c36c3533a283e1aa199f80e20d264b9 5455d104e693445dce5567236f4e047617bae7f09d5ca8699a838c2d17d37fb3 561092877e91f2741ed061cbe7a57d1af552b600c6654ccc588cb6bff7939152 5f9fcbdf7ad86583eb2bbcaa5741d88a 605c2047be7c4a17823ad1fa5c1f94fd105721fce3621dc9148cd3baf352938e 627c2219a80245a25e4fe9843ac2a021 65c320bc5258d8fa86aa9ffd876291d3 7222c8acc69a7598989c335d528b366f801a41b434cbf928c6aef01f8e54f57a 7bc6c2d714e88659b26b6b8ed6681b1f91eef6af 7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18 7dd1a1a0eefc5a653a30010f475cc37c 9fffabede0ef679970666f04184340437cd70bc8fe870ee8174713ececf32398 a654b3a37c27810db180822b72ad6d3e ac634854448eb8fcd3abf49c8f37cd21f4282dde b027467332243c8186e59f68ff7c43c9e212d9e5074fedf003febcfedad4381a b554791b5b161c34b0a7d26e34a88e60 b81d2293b43decd5a401487da952deb32cbb53f118882b97b457a14c67029247 b9dcee839437a917dde60eff9b6014b1 bd8c52bb1f5c034f11f3048e2ed89b7b8ff39261 c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906 c9d46c319ed01c183598f7b9a60b9bca34b2eea989f4659e9aa27c7a1bf8681c d2d9484276a208641517a2273d96f34de1394b8e d6fa64f36eab990669f0b81f84b9a78a e0caae0804957c5e31c53dd320ca83a5465169c9 e27725074f7bc55014885921b7ec8b5319b1ef8f e3ef50749f144bfd7f5d7d51aaa9e2332b706c4d8ac130fdc95f50662525f6e0 ed5b60a640a19afe8d1281bf691f40bac34eba8a f0215aac7be36a5fedeea51d34d8f8da2e98bf1b f1ba626b8181bd1cd84f47f70838d9fa4d8117fac3bd07cbd73cb6f73b1297f8 f73e31d11f462f522a883c8f8f06d44f8d3e2f01