CERT-in warns Indian companies about Egregor that sweeps IT system of organisations and steals data

The country's cybersecurity agency CERT-in has alerted users against the malicious spread of ransomware virus 'Egregor' that threatens to release sensitive corporate data of the victim organisation if not paid. The CERT-In or the Indian Computer Emergency Response Team said in the latest advisory that "while the initial infection vector and propagation mechanism is still unknown, it is anticipated that Egregor ransomware may infiltrate via spam email attachments or maliciously crafted link share."

Egregor uses a tactic of siphoning off corporate information and threatening a “mass-media” release of it before encrypting all files. According to an analysis from Appgate, the code seems to be a spinoff of the Sekhmet ransomware. It is named for the Egyptian goddess of healing. A link that was also noted by other researchers. “We found similarities in both Sekhmet and Egregor ransomware. This included obfuscation techniques, functions, API calls and strings, such as %Greetings2target% and %sekhmet_data% changing to %egregor_data%,” Gustavo Palazolo, a security researcher at Appgate, told Threatpost. “Furthermore, the ransom note is also fairly similar.”

What has it attacked yet?

Recently, the group targeted a popular book outlet company Barnes & Noble located in the US. The ransomware group claimed to have stolen unencrypted files and leaked screenshots of two Windows Registry hives as a proof. The organization, also confirmed that affected data included email, shipping, billing, addresses, and purchase history.

Then, the ransomware group targeted a big gaming firm, Ubisoft. The group threatened to leak the source code of Watch Dogs: Legion, a game to be released next month. In addition to this, the ransomware group targeted Crytek. Here they leaked 300 MB of data. The leaked information was related to the development process of games including Arena of Fate and Warface.

What does CERT-in say?

"The modus operandi used is typically breaking into organisations. It steals sensitive data, and running the malware to encrypt their files and (it) threatens 'Mass-Media' release of corporate data if ransom not paid in due time," the advisory stated.

Analysts from CERT-In suggest that the mode of infiltration and the functional mechanism is still under observation, but the virus uses a double extortion tactic which is usually known to be found in NetWalker ransomware. It is very much possible that Egregor may be infiltrating into the computer system via Spam emails and email attachments. There could be random links on sent to the organisation via email or mobile SMS or through any other means.

CERT-In says, "Maintain updated anti-virus software on all systems. Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign."

In cases of genuine URLs, it said, one should close the e-mail and go to the organisation's website directly through the browser. It also suggested that security managers should disable remote desktop connections and employ least-privilege accounts.