Regardless of a cybersecurity role in your organization, whether you are a SOC analyst, threat hunter, or CISO, the more you know about the threat landscape relevant to your business and region the better you can protect your assets. But when it comes to ransomware, any big organization can be a target, and you should always be on guard. Especially, given that the major cybercrime trend of 2020 is Big Game Hunting.
More and more players join the game, disrupting more and more businesses all around the world. Ransomware itself, as well as attackers’ TTPs become increasingly complex, making detection and analysis really tough. One of such ransomware families, that came into the game quite recently, but already managed to «lock» quite outstanding victims, such as Crytek and Barnes & Noble – is Egregor.
Recently Group-IB DFIR team observed Egregor ransomware operators actively using Qakbot (aka Qbot) to gain initial access, just like it was with Prolock not long ago. The close similarities in TTPs with earlier ProLock campaigns indicate that Qakbot operators have likely abandoned ProLock for Egregor.
Egregor has been actively distributed since September 2020. In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).
Given the increased activity of Egregor operators and the gang’s focus on big firms, we decided to release this “emergency” blog post to help cybersecurity teams identify and hunt for this threat actor. This blog will dive you into recent Qakbot campaigns, TTPs employed by the threat actors during their Big Game Hunting operations, and in-depth analysis of Egregor ransomware.
Read more at Source – https://www.group-ib.com/blog/egregor