A new ransomware strain is showing increasing implementation by cybercriminals, as they select it as their weapon of choice when encrypting data on vulnerable networks and making bitcoin demands for its safe return.

Known as “Egregor” the ransomware first raised its head back in September, but since then has earned itself a nefarious reputation. Several successful high-profile assaults have showcased its effectiveness with targets including games giant Ubisoft and bookselling giant Barnes & Noble.

Expert analysis offered

Intelligence offered by cybersecurity experts at Digital Shadows proves Egregor ransomware has claimed over 70 victims across the globe operating in almost 20 individual industries to date, and indicates that the threat operators are only getting warmed up.

Analyst at Digital Shadows, Lauren Palace commented on the new ransomware’s complexity:

“The level of sophistication of their attacks, adaptability to infect such a broad range of victims, and significant increase in their activity suggests that Egregor ransomware operators have been developing their malware for some time and are just now putting it to (malicious) use.”

As with many other forms of ransomware, Egregor is money motivated, and to improve the chances of receiving their extortion payments, the gang behind it employ a tactic that is becoming increasingly more common on the world stage. After encrypting services and sensitive files, the Egregor ransomware gang threatens its victims, stating that unless payment is forthcoming, the sensitive information exfiltrated during attacks will be exposed publicly. As proof that these claims are not simply empty threats, the attackers publish a piece of stolen information alongside their ransom note online.

Defence against ransomware attacks

Although Egregor’s net has been cast worldwide, with targets hit in multiple industries, threat analysts have recorded a pattern, with over one third of the group’s campaigns seemingly seeking victims in the services and industrial goods sector. Experts believe that the recent rise in Egregor ransomware attacks can be attributed to the departure of the Maze ransomware gang from the cybercrime scene. In recent months, signs have been apparent that Maze has potentially retired and now the Egregor operators are stepping into its shoes.

Palace warned businesses of what she sees as growing threat:

“Given their sophisticated technical capabilities to hinder analysis of malware and target a large variety of organisations across the ransomware landscape, we can only conclude that the Egregor ransomware group will likely continue in the future, posing more and more of a risk to your organisation.”

Enterprises can work towards defending against Egregor ransomware attacks by applying stringent data security protocols such as multifactor authentication, ensuring that if usernames and passwords are compromised, an additional extra barrier is in position, blocking attacks. The latest patches and security updates must always be implemented as soon as available, and regular backups maintained offline to safeguard data and all easy restoration when ransomware attackers strike.

While the Egregor ransomware gang are a relatively new outfit, there is a definite possibility that it has sourced the criminal talents and expertise of former Maze operators, to formulate its continuing campaigns.