Egregor is part of the Sekhmet malware family that has been active since mid-September 2020. It targets organizations across the world. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and finally demanding ransom in exchange of decrypted documents. Allegedly, 52 companies have been breached by the threat actor till today.
Unfortunately, there are no third-party tools that can decrypt files encrypted by this threat actor considering that the user needs a private key from the hacker server to decrypt the files. The cyber criminals behind this ransomware are the only ones with the decryption software and key. Attached below is part of the ransom note that tries to convince a victim into paying a ransom amount.
According to their ransom notes, if the ransom is not paid by the company within 3 days, then aside from leaking part of the stolen data, they will distribute it via mass media where the company’s partners and clients will know that the company was attacked. The analyzed sample has many anti-analysis techniques in place, such as code obfuscation and packed payloads. Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided.
Below is the list of companies whose data has been leaked by this Ransomware threat actor.