Ransomware: This new variant could be the next big malware threat to your business

Egregor is gaining traction after only emerging in September - and researchers warn this ransomware family is only just getting started.
Written by Danny Palmer, Senior Writer

A new form of ransomware is becoming increasingly prolific as cyber criminals turn to it as a preferred means of encrypting vulnerable networks in an effort to exploit bitcoin from victims.

Egregor ransomware first emerged in September but has already become notorious following several high-profile incidents, including attacks against bookseller Barnes & Noble, as well as video game companies Ubisoft and Crytek.

According to cybersecurity researchers at Digital Shadows, Egregor ransomware has already claimed at least 71 victims across 19 different industries around the world – and it's likely the group behind it is only just getting started after meticulously planning their activities.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

"The level of sophistication of their attacks, adaptability to infect such a broad range of victims, and significant increase in their activity suggests that Egregor ransomware operators have been developing their malware for some time and are just now putting it to (malicious) use," said Lauren Palace, analyst at Digital Shadows.

Like all ransomware gangs, the main motive behind Egregor is money and in order to stand the best chance of extorting payment, the gang use what has become a common common tactic following ransomware attacks – threatening to release private information stolen from the severs of victims if they don't pay. In some cases, attackers will release a snippet of information with the ransom note, as proof they mean business.

While Egregor has impacted organisations in a variety of sectors around the world, there seems to be some element of targeting in the attacks – over a third of the campaigns have targeted the industrial goods and services sector and the vast majority of victims across all sectors are in the US.

One of the reasons Egregor has suddenly surged in numbers appears to be because it's filling a gap left open by the apparent retirement of the Maze ransomware gang.

"Given their sophisticated technical capabilities to hinder analysis of malware and target a large variety of organizations across the ransomware landscape, we can only conclude that the Egregor ransomware group will likely continue in the future, posing more and more of a risk to your organization," said Place.

Egregor ransomware is still new, so it isn't yet fully clear how its operators compromise victim networks. Researchers note that the code is heavily obfuscated in a way that seems to be specifically designed to avoid information security teams from being able to analyse the malware.

However, the Digital Shadows analysis does suggest that email phishing could be one of the initial methods of compromise for attacks.

Organisations could go a long way towards protecting themselves against Egregor ransomware and other malware attacks by employing information security protocols like multi-factor authentication, so if a username and password is compromised by attackers, there's an extra barrier that prevents them from exploiting it.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

It's also highly recommended that organisations apply the latest security patches and updates when they arrive because that prevents cyber criminals being able to exploit known vulnerabilities in order to gain access to networks.

And for an extra layer of protection against ransomware attacks, organisations should regularly made backups of their network and store them offline, so if the worst happens and the network is encrypted, it can be relatively simply restored without giving into the extortion demands of hackers.


Editorial standards