Qbot Banking Trojan Now Deploying Egregor RansomwareResearchers: Attacks Linked to Egregor Have Increased Since September
The operators behind the Qbot banking Trojan are now deploying a recently uncovered ransomware variant called Egregor, according to researchers at Singapore-based cybersecurity firm Group-IB.
Since September, the Egregor ransomware variant has targeted at least 69 companies in 16 countries around the world. The crypto-locking malware has also developed a reputation for "big-game hunting" attacks, with the operators demanding $4 million or more from victims, according to the Group-IB analysis.
Qbot, also known as Qakbot, first surfaced in 2008. The malware has been primarily deployed to steal banking data and credentials. Over the years, however, its operators have made adjustments to its source code to allow Qbot to deploy other types of malware, security researchers say (see: Qbot Banking Trojan Now Hijacks Outlook Email Threads).
Previously, the operators behind Qbot distributed ransomware called ProLock. The Group-IB report notes, however, that starting in September, the cybercriminals switched to Egregor.
Egregor is the latest ransomware strain that uses a "hack-and-leak" strategy, where the cybercriminal gang threatens to leak the victims' stolen data if the ransom demands are not met within a certain time. Other groups that are known to use this strategy are the now-defunct Maze group, which first popularized the tactic, and Sodinokibi, also known as REvil (see: Egregor Ransomware Adds to Data Leak Trend).
It's unclear why the Qbot operators switched to Egregor, but the Group-IB researchers note one possibility could be the desire to capitalize on the effectiveness of the hack-and-leak tactics. Egregor has been linked to several high-profile incidents, including attacks against Barnes & Noble, Canon USA, Crytek and Ubisoft.
"In less than three months, Egregor operators have managed to successfully hit 69 companies around the world, with 32 targets in the U.S., seven victims in France and Italy each, six in Germany, and four in the U.K.," the Group-IB report notes.
The Group-IB report says the latest Qbot campaign typically starts with phishing emails that contain malicious Microsoft Excel documents designed to look like DocuSign-encrypted spreadsheets. If the documents are opened, the Egregor ransomware is installed within the device.
The operators behind Egregor use legitimate penetration testing tools, such as Cobalt Strike, to help laterally spread through the victim's network to steal and encrypt the data. The ransomware also uses Rclone, an open-source cloud hosting platform, for data exfiltration.
"The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you don’t have command-line arguments provided by the attacker," according to the report. "Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption."
Although many of the tactics and techniques deployed by Egregor resemble ProLock, its source code is similar to that of Maze ransomware, Group-IB says. This is because an increasing number of Maze partners are joining Egregor, leading to an overlap between Egregor and Maze infrastructures.
"It's important to note that the fact many Maze partners started to move to Egregor will most likely result in the shift in the [tactics, techniques, and procedures], so defenders should focus on known methods associated with Maze affiliates," Oleg Skulkin, a senior analyst at Group-IB, notes in the report.
With ransomware developers increasingly offering their malicious tools through renting or service models, criminal groups are hiring more affiliates to help distribute the malware and carry out attacks, which increases profit margins for the operators who control the larger operations (see: More Ransomware-as-a-Service Operations Seek Affiliates).
"We have seen the creation of multiple ransomware variants and data leak sites every month, and this trend is likely to continue due to the high popularity of ransomware and ransomware-as-a-service (RaaS) variants," Ivan Righi, cyber threat intelligence analyst at security firm Digital Shadows, tells Information Security Media Group.
Because a common tactic for many ransomware groups is to target vulnerabilities in Remote Desktop Protocol connections used in Windows devices, Righi says organizations should restrict RDP access behind a gateway to help prevent attacks.
Since these groups are prolifically advertising their services and toolkits, the number of attacks is likely to surge in the coming months, says Daniel Norman, senior analyst at the London-based Information Security Forum.
"Organizations should have an incident response or crisis management plan for ransomware events, knowing who to contact and what to do," Norman says. "This should be regularly rehearsed so that if ransomware hits, the organization can recover swiftly. Payment of a ransom is also a contentious discussion - in many cases, the ransom may be cheaper than replacing a suite of locked devices. Therefore, it becomes a cost decision. However, you can never trust that the attacker will unlock the devices, making it a gray area."