A freshly discovered family of ransomware called Egregor has been spotted in the wild, using a siphoning tactic off corporate information and threatening a “mass-media” release of it before encrypting all files.
Egregor is an occult term meant to signify the collective energy or force of a group of individuals, mostly when they are united toward a common purpose — apropos for a ransomware gang. According to an Applegate analysis, the code seems to be a spinoff of the Sekhmet ransomware (itself named for the Egyptian goddess of healing). Other researchers also noted this link.
“We found similarities in both Sekhmet and Egregor ransomware, such as obfuscation techniques, functions, API calls and strings, such as %Greetings2target% and %sekhmet_data% changing to %egregor_data%,” Gustavo Palazzolo, a security researcher at Applegate, told Threatpost. “Furthermore, the ransom note is also fairly similar.”
As far as other technical details, “The sample we analyzed has many anti-analysis techniques in places, such as code obfuscation and packed payloads,” according to the firm’s research, announced Friday. “Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox if the same command line that the attackers used to run the ransomware isn’t provided.”
Further, “we have found that Egregor can receive additional parameters via command line, such as ‘nomimikatz,’ ‘killed,’ ‘no rename,’ among others,” Palazzolo said. “At the moment, our team is still revers- engineering the malware to get the whole picture. Furthermore, we will continue to monitor any possible variant emerging from this family.”
Overall, he said, it has the same sophistication level as other ransomware families. However, Egregor implements a high number of anti-analysis techniques, such as code obfuscation and payload encryption.