Egregor: A New Ransomware – CERT-IN warns Indian Companies

Egregor: A New Ransomware – CERT-IN warns Indian Companies

Egregor: A New Ransomware – CERT-IN warns Indian Companies:

Egregor is a ransomware that belongs to Sekhmet malware family. It has been active since September of this year. This ramsomware group hacks into organizations, steal data and installs malware to encrypt their files and threatens “Mass Media” release of corporate data if ramsom is not paid within the stipulated time. Recently, this malware group targeted a book outlet company “Barnes & Noble” in USA.

Analysts from CERT-In (Computer Emergency Response Team of India) suggest that the mode of infiltration and the functional mechanism is still under observation, but the virus uses a double extortion tactic which is usually known to be found in NetWalker ransomware. It is very much possible that Egregor may be infiltrating into the computer system via spam emails and email attachments. The hackers may be using links sent to the organisation via email or mobile SMS or through any other means.

CERT-In has also revealed some other operations of the ransomware if it enters into an organization’s IT system. Egregor does not initiate its functionalities when the computer system is running a security analysis program to detect any ransomware until the exact same command has been given that the attackers uses to initiate the malicious software. This intelligent operation makes it extremely difficult for the IT analysts to analyze Egregor samples manually or in a made-up environment.

A technical operation that it undergoes is to append random characters from encrypted files, to create a brand new extension and name it as “RECOVER_FILES.txt” text on all files and folders that have been previously encrypted, warned CERT-In.

Image: Screenshot of the Egregor ransomware website

Various similarities have been found between the Sekhmet and Egregor ransomware samples, like the obfuscation techniques, functions, API calls and strings, such as %Greetings2target% and %sekhmet_data% changing to %egregor_data%. The ransom note left on the affected system is also familiar.

What is the Solution?
The Computer Emergency Response Team of India is warning as many organizations as possible that could be a victim to this new ransomware. It is advising these organizations to adhere to the standard protocols and safeguards against ransomware which include Conformance, Reporting, Sender Policy Framework (SPF), DomainKeys Identified Mail, Domain Message Authentication etc.

CERT-In being the Cyber Police of India is searching for the origin of the Egregor ransomware and is coming up with new safety protocols to protect the organization’s private and sensitive information.

Best Practices for Prevention of Ransomware:

  • Keep regular backups of all the important data and store it offline.
  • Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems.
  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
  • Maintain updated antivirus software on all the systems.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail.
  • Follow safe practices when browsing the web. Ensure that the web browsers are secured enough with appropriate content controls.
  • Disable Remote Desktop Connections.
  • Use personal firewall and VPN on the devices you use.
  • Follow safe practices when browsing the web.
  • Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.