The Indian Computer Emergency Response Team (CERT-In) is alerting organisations to be careful about a new ransomware called Egregor. As per CERT-In, the Egregor ransomware breaks into organisations IT systems, steals sensitive data, and runs the malware to encrypt their files and threatens “Mass-Media” release of corporate data if ransom is not paid in due time.
“It uses double extortion tactics generally used by NetWalker ransomware families. Initial Infection vector and propagation mechanism is still unknown, it is anticipated that Egregor ransomware may infiltrate via spam email attachments or maliciously crafted link shared via email/instant messaging chats,” it said.
The ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code “unpacks” itself in memory as a way to avoid detection by security tools, it added.
Also, it will not exhibit its functionalities while analysing it until the exact same command line that the attackers used to run the ransomware. This makes it difficult for analysts to analyse samples manually or in a sandbox environment. “It appends a string or random characters as the new extension of each encrypted file and creates the “RECOVER-FILES.txt” text file/ransom note in all folders that contain encrypted files,” alerted CERT-In.
CERT-In is recommending standard protocols that apply to safeguard against most ransomware out there. This includes establishing Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) for your domain and other common safety protocols.