High
Ransomware Egregor is found infecting multiple organizations around the world. The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, then aside from leaking part of the stolen data, they will distribute it via mass media where the company’s partners and clients will know that the company was attacked. The code seems to be a spinoff of the Sekhmet ransomware (itself named for the Egyptian goddess of healing). The analyzed sample has many anti-analysis techniques in place, such as code obfuscation and packed payloads. Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided. There’s also an “Egregor news” website, hosted on the deep web, which the criminal group uses to leak stolen data. There are at least 13 different companies listed in their “hall of shame”. The ransom note reads: “(In case the payment is done) … You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter.”