Cybercrime , Cybercrime as-a-service , Endpoint Security
Egregor Ransomware Slams HR Firm and Transport Agency
Dutch Staffing Firm, Canadian Public Transportation Agency Still RecoveringA Canadian public transportation agency and a Dutch human resources and staffing firm are both continuing to recover after reportedly being hit by Egregor ransomware.
See Also: Gartner Guide for Digital Forensics and Incident Response
Amsterdam-based Randstad says that attackers wielding Egregor ransomware also stole corporate data and have begun to leak it.
In a separate incident, Vancouver TransLink, the Canadian city's public transportation agency, says an Egregor attack resulted in customers being unable to use their transportation cards or buy tickets at the agency's kiosks. But other transportation systems were unaffected by the attack.
“Customers can once again use credit cards and debit cards at Compass vending machines and Tap to Pay fare gates. Customers who recently purchased monthly passes or stored value will soon see the credit loaded onto their Compass Card.” —TransLink CEO Kevin Desmond— TransLink BC | Masks Mandatory (@TransLink) December 4, 2020
Teardown: Egregor
Egregor is a relatively new type of crypto-locking malware that researchers first spotted in September. Since then, the ransomware's operators have hit an estimated 70 organizations across 16 different countries. In some cases, operators have demanded ransoms of up to $4 million, says cybersecurity firm Group-IB (see: Qbot Banking Trojan Now Deploying Egregor Ransomware).
To try and force more victims to pay, Egregor is one of a number of operations that exfiltrates data before crypto-locking systems and then threatens to leak the data unless it receives a ransom. The now-defunct Maze group began using this tactic in November 2019, after which more than a dozen other operators followed suit.
Brett Callow, a threat analyst at security firm Emsisoft, noted that since September, attacks associated with Egregor have increased at a rapid pace - a likely result of Maze gang claiming to have retired around the same time.
"The Egregor operation has been quite prolific, amassing victims at an unprecedented rate," Callow tells Information Security Media Group. "The most likely explanation for this is that former Maze affiliates have moved across, taking with their lists of networks that had been compromised but not yet encrypted. It’s also quite likely that Egregor is being operated by the same people that were behind Maze. It emerged around the same time the Maze operation was abandoned, and they share many similarities."
Attackers Hit Randstad
Officials at Dutch firm Randstad have confirmed that the company suffered a ransomware attack but have declined to specify when it occurred or the extent of the damage, except to say that the crypto-locking malware hit a "limited number of servers."
The Egregor ransomware operators also exfiltrated corporate data pertaining to operations in the U.S., Poland, France and Italy, and have published some of this information, the company says.
"They have now published what is claimed to be a subset of that data," Randstad says. "The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties."
Randstad employs about 38,000 people worldwide and reported 2019 revenues of 23.7 billion euros ($28.7 billion). The firm has not said if it has been contacted by the ransomware gang or the amount of any ransom demand. A company spokesperson, reached on Monday, declined further comment.
Vancouver TransLink Falls Victim
Vancouver TransLink says it was hit by a ransomware outbreak on Tuesday. Local news reporters published a printout of the ransom note sent to officials. Unnamed sources have told local reporters that the city does not intend to pay.
Ransom letter that’s been rolling off the printers at @TransLink.
Sources tell me, at this point, @TransLink does NOT intend to pay.
But a cyber security expert we spoke to says this is a sophisticated new type of ransomware attack... and many victims do pay.@GlobalBC pic.twitter.com/2tYLy4lZkG— Jordan Armstrong (@jarmstrongbc) December 4, 2020
While Vancouver TransLink declined to specify the type of ransomware used against it, Bleeping Computer reports that, based on an analysis of the published ransom note, the malware appears to be Egregor.
Potential Successor to Maze
Egregor has been tied to more than 70 attacks worldwide since September, with the majority taking place within the U.S., security firm Digital Shadows reports.
Egregor's operators have developed multiple methods to hide their tactics and techniques and have also made the source code difficult to analyze.
"Our researchers have found that the Egregor malware maintains multiple anti-analysis techniques such as code obfuscation and packed payloads, making it challenging to analyze the malware," Digital Shadows reports. "More specifically, Windows application programming interfaces are leveraged to encrypt the payload data. Unless security teams can present the correct command-line argument, then the data cannot be decrypted, and the malware cannot be analyzed."
Group-IB, meanwhile, reports that, based on its analysis of Egregor's source code, there are multiple similarities to Maze ransomware. Experts say Maze is now defunct, but that many of its affiliates appear to have been handed off to Egregor, suggesting that there may be ties between the two operations (see: More Ransomware-as-a-Service Operations Seek Affiliates).