The Indian Computer Emergency Response Team (CERT-In) is alerting organizations to be careful about a new ransomware called Egregor. As per CERT-In, the Egregor ransomware breaks into organizations’ IT systems, steals sensitive data, and runs the malware to encrypt their files, and threatens the “Mass-Media” release of corporate data if the ransom is not paid in due time.
“It uses double extortion tactics generally used by NetWalker ransomware families. Initial Infection vector and propagation mechanism are still unknown, it is anticipated that Egregor ransomware may infiltrate via spam email attachments or a maliciously crafted link shared via email/instant messaging chats,” it said.
The ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code “unpacks” itself in memory as a way to avoid detection by security tools, it added.
Also, it will not exhibit its functionalities while analyzing it until the exact same command line that the attackers used to run the ransomware. This makes it difficult for analysts to analyze samples manually or in a sandbox environment. “It appends a string of random characters as the new extension of each encrypted file and creates the “RECOVER-FILES.txt” text file/ransom note in all folders that contain encrypted files,” alerted CERT-In.
CERT-In is recommending standard protocols that apply to safeguard against most ransomware out there. This includes establishing Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) for your domain and other common safety protocols.