A new malware, Egregor, is sweeping across the world and the FBI has published an advisory about it. Egregor first appeared on the FBI’s radar in the last quarter of 2020 and is a standard Ransomware as a Service (“RaaS”) style malware. What makes Egregor harder to deal with is a large number of threat actors deploying it, as this makes it harder to track down the source of the malware and the infrastructure being used to support it (assuming that each actor is supplying its own infrastructure rather than relying on some that it has rented).
The FBI advisory notes that, like the overwhelming majority of malware attacks, Egregor infiltrates a system via phishing emails – further hammering home the importance of training individuals on how to recognize malicious communications. Once inside a network, Egregor can utilize remote desktop programs to spread to other connected devices. Further, it uses instant messaging applications to urge the owner of an infected device to pay the ransom, and in some cases it may have printers on the network print out the ransom note as well.
Like other ransomware, Egregor first encrypts and exfiltrates data from infected devices before making the owner aware of itself. Should an individual fail to pay, Egregor threatens to upload their data to a “public” website. Currently it is unclear what this website would be, or what data Egregor will upload should the ransom go unpaid. Given that Egregor is being operated by multiple actors, it may make it difficult to establish a standard ransom or website where a victim’s data is posted.