FBI Issues Ransomware Warning of Egregor Attacks on Businesses Globally

The agency said the malware has already compromised more than 150 organizations and provided insight into its ransomware-as-a-service behavior.
globe
The agency issued an advisory (PDF) that also shed new light and identifies the innerworkings of the prolific malware, which has already been seen wreaking indiscriminate havoc against various types of organizations. Bookseller Barnes & Noble, retailer Kmart, gaming software provider Ubisoft and the Vancouver metro system Translink all are known victims of the ransomware.

Egregor — the name of which refers to an occult term meant to signify the collective energy or force of a group of individuals–is indeed the work of a “large number of actors” and is operating as a ransomware-as-a-service model, according to the FBI.

“Because of the large number of actors involved in deploying Egregor, the tactics, techniques and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation,” the FBI said.

The FBI noted the ” number of ways” Egregor compromises business networks, “including targeting…employee personal accounts that share access with business networks or devices.” It also spreads via phishing emails with malicious attachments, or exploits for remote desktop protocol (RDP) or VPNs, the agency said.

Once access is gained, threat actors can move laterally inside networks. Egregor ransomware affiliates have been observed using common pen-testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner and AdFind to escalate privileges and make lateral moves across a network, as well as tools like Rclone — sometimes renamed or hidden as “svchost” — and 7zip to exfiltrate data, according to the FBI.

Corroborating what security researchers already have observed, the FBI said it first identified Egregor in September and said that since then, the threat actors behind the malware have worked quickly.

The document also describes what the typical modus operandi of Egregor looks like to victims, behavior also already observed in known and publicized attacks. In addition to engaging in typical ransomware behaviors, such as exfiltrating and encrypting files on the network as well as leaving a ransom note on machines to instruct victims how to communicate with threat actors via an online chat, Egregor also has a unique feature, the FBI noted.

“Egregor actors often utilize the print function on victim machines to print ransom notes,” the agency wrote in the document. Indeed, the group at this time the only known ransomware to run scripts that cause printers at the organization to continuously print out the ransom note, a behavior captured on video and posted to Twitter during an attack on South American retailer Cencosud in mid-November.

If victims refuse to pay, Egregor publishes victim data to a “public site,” the FBI noted. However, the agency—like many security experts–encourages organizations not to pay the ransom, as it “emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” the agency said.

Paying the ransom also does not guarantee that a victim’s files will be recovered, another well-known outcome of ransomware attacks, the FBI said.

“However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees and customers,” the agency said, encouraging organizations to report ransomware incidents to their local FBI field offices whether they decide to pay the ransom or not.

Author:

Picture of Michael Duff

Michael Duff

Leave a Replay

Search

Our Latest News

FL Computer Tech is best choice for Managed-IT in Florida but what about the rest of the US? Choosing the right Managed Service Provider, aka MSP, is a daunting and critical responsibility and that’s why we created the  OutSourced MSP website.  OutSourced MSP is a Managed Service Provider directory website that helps businesses nationwide find reputable, Managed-IT services. Check it out!

Recent Posts

AddOn – AI and ML Connectivity Brochure

As AI environments scale, connectivity issues can impact performance and efficiency. ⚡ This brochure highlights @AddOn transceivers and cabling solutions validated for compatibility across leading platforms and real-world deployments. Take a closer look at connectivity designed to support reliable AI and ML performance at scale.

Read More »

Upgrade to the power of Windows 11 with Intel vPro

⏳ It’s time to upgrade. Download the datasheet, “Upgrade to the power of Windows 11 with Intel vPro,” for an overview of features in Windows 11 Pro with Intel vPro that reduce security incidents by 62% and speed workflows by 50%. Then, message us to start planning your upgrade with expert support. @Microsoft Windows

Read More »

Transitioning from Windows 10: A Strategic Guide

Successful upgrades start with a foundation you can trust. 🛡️ The eBook, “Transitioning from Windows 10: A Strategic Guide,” explains how Copilot+ PCs with Intel vPro simplify deployment and endpoint security. Download your complimentary copy to explore how your organization can move forward with the highest levels of security and manageability. @Microsoft Windows @Microsoft Copilot

Read More »

Follow Us

Video Archive

Sign up for our Newsletter

Looking for the latest in technology news? Do you like tips, tricks and shortcuts? Sign up today!

Looking for the Best Managed-IT Business Solutions?

Need immediate computer support? A certified technician is only a call and a click away.

Subscribe our newsletter to get our latest update & news

3501 Quadrangle Blvd
Suite #305
Orlando, FL 32817

1-(941) 564-5464

Open Hours:

Mon - Sat: 8 am - 5 pm,
Sunday: CLOSED
24/7 Emergency Services Available