Recently, the Egregor malware is found to be threatening its victims by leaking the data on mass media platforms. Read on to know more…
Ransomware operators are continuously adapting new tactics to force their victims into paying a ransom. A few days ago, SunCrypt ransomware operators started targeting their victims with DDoS attack threats to pressurize them. Now, the new ransomware Egregor, which is reportedly a spin-off of Sekhmet ransomware, is threatening its victims by leaking the data on mass media platforms.
The Egregor Ransomware
Researchers from Appgate Labs have disclosed that the Egregor ransomware, which has been targeting companies worldwide, is threatening to leak their corporate information on social media platforms where it would be visible to their customers and partners.
The Egregor ransomware is suspected to be a spin-off of the Sekhmet ransomware as they have several similarities, including API calls, functions, obfuscation techniques, and a similar ransom note. The ransomware demands the payment within three days and threatens to leak the sensitive data on its own Egregor news website, as well as on social media platforms.
The Egregor news website lists a total of 13 victims in their hall of shame, including the French logistic company GEFCO. The samples of this malware have been located in Italy, France, Mexico, Germany, Japan, Saudi Arabia, and the U.S.
Stealth Features
The Appgate analysts noted that the Appgate ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code “unpacks” itself in memory as a way to avoid detection by security tools. Without the right decryptor key, it’s difficult to analyze the full ransomware payload to learn additional details about how the malware works, the analysts say.
“The Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided,” according to the alert.
Recent Attacks
Sekhmet, the ransomware that attacks Windows-based devices, has been identified targeting several organizations recently. In late-June, Sekhmet malware targeted a Connecticut-based legal firm CBK Law (Coles, Baldwin, Kaiser & Creager). Around the same time, Sekhmet targeted SilPac, the California-based gas handling solutions company, and released an archive of their data.
At the beginning of June, Sekhmet operators claimed to have targeted Excis, an international IT firm.
Concluding Words
Modern ransomware families such as Egregor, Sekhmet, and SunCrypt often do not use any out-of-the-box techniques to target their victims. They are using basic methods such as unpatched vulnerabilities or malicious spam emails. Therefore, experts recommend patching all the applications regularly and using spam filters as the first line of defense against such threats.