Regardless of a cybersecurity role in your organization, whether you are a SOC analyst, threat hunter, or CISO, the more you know about the threat landscape relevant to your business and region the better you can protect your assets. But when it comes to ransomware, any big organization can be a target, and you should always be on guard. Especially, given that the major cybercrime trend of 2020 is Big Game Hunting
More and more players join the game, disrupting more and more businesses all around the world. Ransomware itself, as well as attackers' TTPs become increasingly complex, making detection and analysis really tough. One of such ransomware families, that came into the game quite recently, but already managed to «lock» quite outstanding victims, such as Crytek and Barnes & Noble - is Egregor
Recently Group-IB DFIR team observed Egregor ransomware operators actively using Qakbot (aka Qbot)
to gain initial access, just like it was with Prolock
not long ago. The close similarities in TTPs with earlier ProLock campaigns indicate that Qakbot operators have likely abandoned ProLock for Egregor.
Egregor has been actively distributed since September 2020. In less than 3 months Egregor operators have managed to successfully hit 69
companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, Middle East, and Latin America. Egregor's favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).