CINXE.COM

<!doctype html><html class="no-js" lang="en"><head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="author" content="Cybereason Nocturnus"> <meta name="description" content="Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and Ubisoft. "> <meta name="generator" content="HubSpot"> <title>Cybereason vs. Egregor Ransomware</title> <link rel="shortcut icon" href="https://www.cybereason.com/hubfs/cr-favicon-1.png"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta property="og:description" content="Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and Ubisoft. "> <meta property="og:title" content="Cybereason vs. Egregor Ransomware"> <meta name="twitter:description" content="Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and Ubisoft. "> <meta name="twitter:title" content="Cybereason vs. Egregor Ransomware"> <style> a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px} </style> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386203/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443237/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042214535/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/1669911113479/module_86933076631_CR_-_Sticky_CTA_Bar.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/34473990280/1704383554067/module_34473990280_CR_-_Footer_Full__en_US.min.css">  <script> var _hsp = window._hsp = window._hsp || []; window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} var useGoogleConsentModeV2 = true; var waitForUpdateMillis = 1000; var hsLoadGtm = function loadGtm() { if(window._hsGtmLoadOnce) { return; } if (useGoogleConsentModeV2) { gtag('set','developer_id.dZTQ1Zm',true); gtag('consent', 'default', { 'ad_storage': 'denied', 'analytics_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': waitForUpdateMillis }); _hsp.push(['useGoogleConsentModeV2']) } (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TJVVB7C'); window._hsGtmLoadOnce = true; }; _hsp.push(['addPrivacyConsentListener', function(consent){ if(consent.allowed || (consent.categories && consent.categories.analytics)){ hsLoadGtm(); } }]); </script>  <script src="https://use.typekit.net/vyv2ljd.js"></script> <script>try{Typekit.load({ async: false });}catch(e){}</script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> <link rel="preload" href="/hubfs/__dam/fonts/ionicons.eot" as="font" type="font/otf" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Regular.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Medium.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/peristyle/Peristyle-Black.woff2" as="font" type="font/woff2" crossorigin> <link rel="amphtml" href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware?hs_amp=true"> <meta property="og:image" content="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/egregor-blog-card.png"> <meta property="og:image:width" content="1000"> <meta property="og:image:height" content="500"> <meta name="twitter:image" content="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/egregor-blog-card.png"> <meta property="og:url" content="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:creator" content="@cr_nocturnus"> <link rel="canonical" href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware"> <meta property="og:type" content="article"> <link rel="alternate" type="application/rss+xml" href="https://www.cybereason.com/blog/rss.xml"> <meta name="twitter:domain" content="www.cybereason.com"> <script src="//platform.linkedin.com/in.js" type="text/javascript"> lang: en_US </script> <meta http-equiv="content-language" content="en"> <link rel="stylesheet" href="//7052064.fs1.hubspotusercontent-na1.net/hub/7052064/hub_generated/template_assets/1732054426091/hubspot/hubspot_default/shared/responsive/layout.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470223313/1696396395659/__CR_Web_Platform/CSS/cr-master__cta.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470477360/1710134689941/__CR_Web_Platform/CSS/cr-master__main.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35275979682/1642096258129/__CR_Web_Platform/CSS/ionicons.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42760289143/1724041950600/__CR_Web_Platform/CSS/cr-mln__build.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470224480/1635957556830/__CR_Web_Platform/CSS/bulma/cr-framework__bulma-columns.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35291999472/1696396871390/__CR_Web_Platform/CSS/bulma/cr-framework__bulma.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42363645447/1635957556555/__CR_Web_Platform/CSS/hamburger-animation.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507091846/1635957557027/__CR_Web_Platform/CSS/animate.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Inter:wght@100;200;300;400;500;600;700;800;900&display=swap" rel="stylesheet"> <script src="/hubfs/dam/plugins/marker-animation.js"></script> <script> $(document).ready(function() { $('.highlight').markerAnimation({ "color":'var(--cr-yellow)', "font_weight":'normal', "background-size": '200% 1.2em' }); }); </script> <style> img{ background: #FFFFFF; border: 1px solid #CCCCCC; border-radius: 5px 5px 5px 5px; padding: 10px; } </style> </head> <body class=" hs-content-id-37958624375 hs-blog-post hs-blog-id-5272851739" style="">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TJVVB7C" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div class="header-container-wrapper"> <div class="header-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433790649568" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section id="cr-malicious-life-network__tier-one-header" class="position-flex"> <div class="#"> <div id="logo"><a href="https://www.cybereason.com"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-black.png"></a></div> <div id="back-to"> <a href="https://www.cybereason.com">Back to <span>Cybereason.com</span></a> </div>  <button class="hamburger hamburger--collapse" type="button"> <span class="hamburger-box"> <span class="hamburger-inner"></span> </span> </button> <div class="cr-mln__hamburger-menu--overlay"> <ul> <li><a href="https://www.cybereason.com/blog/all"><span class="underline">All Posts</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> <div class="subscribe"> <a href="#blog-subscribe">Subscribe</a> </div> </div>  </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget mln-homepage" style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433785464566" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section class="cr-malicious-life-network__hero-main base"> <div class="container-is-blog columns hero-content page-center"> <div class="column is-5-fullhd is-5-desktop is-12-touch"> <a href="/blog"><img class="cr-mln-logo" src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-malicious-life-logo-v2.png"></a> </div> <div class="column is-7-fullhd is-7-desktop is-hidden-mobile is-hidden-tablet-only"> <div class="cr-mln__search-subscribe"> <div class="cr-mln__search"> <a href="#cr-search-modal" class="search-btn"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/cr-blog-icon--search-dark-gray.png" alt="Search"></a> </div> <div class="cr-mln__subscribe"> <a class="btn-subscribe" href="#blog-subscribe">Subscribe</a> </div> </div> <div class="cr-mln__category-nav"> <ul> <li><a href="/blog/category/all"><span class="underline">All</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> </div> </div> </div>  <div class="container-is-blog columns is-gapless is-hidden-desktop cr-mln__search-subscribe--mobile"> <div class="column"> <a class="search-btn">Search</a> </div> <div class="column"> <a class="#" href="#blog-subscribe">Subscribe</a> </div> </div>   <div id="cr-search-modal">  <div id="btn-close-modal" class="close-cr-search-modal"> X </div> <div class="modal-content"> <div class="container columns"> <div class="column"> <div class="cr-search-modal__search-bar"> <h3>Search</h3> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search..."> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> </div> </div> </div> </div>  </section></div> </div> </div> </div> </div> </div> <div class="body-container-wrapper"> <div class="body-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12"> <div class="cr-mln__blog-post"> <div class="container-is-blog columns is-multiline page-center"> <div class="column is-8-fullhd is-8-desktop is-offset-2-fullhd is-offset-2-desktop is-10-tablet is-offset-1-tablet"> <div class="featured-image"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/egregor-blog-card.png" alt=""></div> <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Cybereason vs. Egregor Ransomware</span></h1> <div class="cr-mln__post-author-share"> <div id="hubspot-author_data" class="hubspot-editable cr-mln__post-meta" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author"> <span class="descriptor">Written By</span> <p><span class="author">Cybereason Nocturnus</span></p> </div> </div> </div>   <div class="container-is-blog columns is-multiline page-center cr-mln__blog-post--body"> <div class="column is-7-fullhd is-7-desktop is-10-tablet is-10-mobile is-offset-1-fullhd is-offset-1-desktop is-offset-1-tablet is-offset-1-mobile"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p><strong>Research by: </strong>Lior Rochberger</p>  <p><span style="color: #1f2e33;">Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants </span><a href="https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/"><span>Crytek and Ubisoft</span></a><span style="color: #1f2e33;">. </span></p> <p><span style="color: #1f2e33;">Similar to the </span><a href="https://nest.cybereason.com/blog/threat-spotlight-analyzing-and-detecting-maze-ransomware-4"><span>Maze ransomware</span></a><span style="color: #1f2e33;">, Egregor’s operators run an extortion ransomware operation, where the data is stolen and stored on the attacker’s servers before it is encrypted on the users machine.</span><span style="color: #1f2e33;"> Egregor is probably the most aggressive ransomware family in terms of negotiation with the victims. Its operators give only 72 hours to contact them. If the ransom is not paid, the data is released to the public via the attacker’s website, “Egregor News.”</span></p> <div class="hs-embed-wrapper" data-service="fast.wistia" data-script-embed="true" data-responsive="true" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 701px; min-width: 256px; display: block; margin: auto; max-height: 394px;"><div class="hs-embed-content-wrapper"><script src="https://fast.wistia.com/embed/medias/klaf1jvd3j.jsonp" async> </script><script src="https://fast.wistia.com/assets/external/E-v1.js" async></script><div class="wistia_responsive_padding" style="padding:56.25% 0 0 0;position:relative;"><div class="wistia_responsive_wrapper" style="height:100%;left:0;position:absolute;top:0;width:100%;"><span class="wistia_embed wistia_async_klaf1jvd3j popover=true popoverAnimateThumbnail=true videoFoam=true" style="display:inline-block;height:100%;position:relative;width:100%"> </span></div></div></div></div> <p style="text-align: center; font-size: 16px;"><em>Cybereason Blocks Egregor Ransomware</em></p> <p>The ransomware payment is negotiated and agreed upon via a special chat function assigned to each victim. The payment is received in bitcoin:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-1.png?width=1543&name=egregor-1.png" alt="egregor-1" width="1543" style="width: 1543px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-1.png?width=772&name=egregor-1.png 772w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-1.png?width=1543&name=egregor-1.png 1543w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-1.png?width=2315&name=egregor-1.png 2315w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-1.png?width=3086&name=egregor-1.png 3086w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-1.png?width=3858&name=egregor-1.png 3858w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-1.png?width=4629&name=egregor-1.png 4629w" sizes="(max-width: 1543px) 100vw, 1543px"><span style="color: #2d3236; font-size: 16px;"><em>Egregor News website - published data</em></span></p> <p>Egregor is believed to be a relative of another ransomware called <em>Sekhmet</em> that emerged in March, 2020, which shares a lot of similarities with Egregor and also some similarities with Maze.</p> <p>Egregor is still quite a mystery when it comes to how it is delivered in the attack and who is behind the campaign. Not much is known at this point, but speculation includes theories that Egregor is the “heir to Maze,” after that threat actor announced they were <a href="https://www.bleepingcomputer.com/news/security/maze-ransomware-shuts-down-operations-denies-creating-cartel/"><span>shutting down their operations</span></a> in late October. This assumption is supported by the close similarities between the two - and of course the timing.</p> <h3 style="font-size: 36px;"><span style="color: #2d3236;">Key Findings</span></h3> <p style="padding-left: 40px;"><strong>• Emerging Threat</strong>: In a short amount of time, Egregor ransomware caused a great damage and made headlines across the world.</p> <p style="padding-left: 40px;"><strong>• High Severity</strong>: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks.</p> <p style="padding-left: 40px;"><strong>• Low-and-Slow: </strong>Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-fledged hacking operation.</p> <p style="padding-left: 40px;"><strong>• Infection Vector via Commodity Malware: </strong>The infection seems to start with commodity malware. Based on a preliminary reconnaissance of data sent to the C2 servers, the operators can choose to escalate to an interactive hacking operation, which ultimately causes a mass ransomware infection.</p> <p style="padding-left: 40px;"><strong>• Detected and Prevented</strong>: <a href="https://www.cybereason.com/platform"><span>The Cybereason Defense Platform</span></a> fully detects and prevents the Egregor ransomware.</p> <h3><span style="color: #2d3236;">Breaking Down the Attack</span></h3> <br> <p style="text-align: center; font-size: 16px;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-2.png?width=967&name=egregor-2.png" alt="egregor-2" width="967" style="width: 967px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-2.png?width=484&name=egregor-2.png 484w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-2.png?width=967&name=egregor-2.png 967w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-2.png?width=1451&name=egregor-2.png 1451w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-2.png?width=1934&name=egregor-2.png 1934w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-2.png?width=2418&name=egregor-2.png 2418w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-2.png?width=2901&name=egregor-2.png 2901w" sizes="(max-width: 967px) 100vw, 967px"><span style="color: #2d3236;"></span><span style="color: #2d3236; font-size: 16px;"><em>Egregor infection chain</em></span></p> <h3 style="font-size: 36px;"><span style="color: #2d3236;">From Commodity Malware Infection to Ransomware</span></h3> <p>Since Egregor is a relatively new player in the game, not many incidents involving it are covered and detailed here, including information about the infection chain. The information available so far suggests that the initial infection starts with a phishing email that contains a malicious macro embedded in an attached document. </p> <p>The macro code downloads a commodity malware, either <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"><span>Qbot</span></a> <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"><span>icedID</span></a> or <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"><span>Ursnif</span></a>, which provides capabilities for stealing sensitive information that will later be used for lateral movement. This technique, which involves using a commodity malware as initial infection and to eventually deliver ransomware, was observed before with <a href="https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware"><span>Ryuk ransomware</span></a> and Maze.</p> <p>Later in the attack, a <a href="https://www.cobaltstrike.com/"><span>CobaltStrike</span></a> beacon is installed on the infected machine and the attack shifts to an interactive hacking operation. The attacker uses tools for reconnaissance such as <a href="http://www.joeware.net/freetools/tools/adfind/"><span>Adfind</span></a> and <a href="https://github.com/BloodHoundAD/SharpHound"><span>Sharphound</span></a> to gather information about users, groups, computers and so on. This information will assist in the lateral movement phase and also in performing privilege escalation, as Egregor compromises Active Directory in order to become domain admin.</p> <p>In this stage, after the malware settles on the victim’s machine, it starts communications to the C2 in order to download additional components including scripts, DLLs and other files that will be used eventually to exfiltrate data and encrypt files.</p> <p>Among the dropped files observed:</p> <ul> <li> <p><strong>A batch file</strong> that is used to run Bitsadmin and Rundll to download and execute the Egregor payload.</p> </li> <li> <p><strong>A Zip file</strong> contains a binary file that is an <a href="https://rclone.org/"><span>RClone client</span></a>, renamed svchost, and RClone config files (webdav, ftp and dropbox) used later for exfiltration.</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-3.png?width=1259&name=egregor-3.png" alt="egregor-3" width="1259" style="width: 1259px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-3.png?width=630&name=egregor-3.png 630w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-3.png?width=1259&name=egregor-3.png 1259w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-3.png?width=1889&name=egregor-3.png 1889w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-3.png?width=2518&name=egregor-3.png 2518w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-3.png?width=3148&name=egregor-3.png 3148w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-3.png?width=3777&name=egregor-3.png 3777w" sizes="(max-width: 1259px) 100vw, 1259px"></p> </li> </ul> <p style="text-align: center; font-size: 16px;"><span style="color: #2d3236;"><em>VT screenshot of the RClone executable and configuration file</em></span></p> <p><span style="color: #1f2e33;">CobaltStrike creates a service that runs an encoded PowerShell command that executes shellcode that creates connection to amajai-technologies[.]industries:</span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-4.jpg?width=965&name=egregor-4.jpg" alt="egregor-4" width="965" style="width: 965px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-4.jpg?width=483&name=egregor-4.jpg 483w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-4.jpg?width=965&name=egregor-4.jpg 965w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-4.jpg?width=1448&name=egregor-4.jpg 1448w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-4.jpg?width=1930&name=egregor-4.jpg 1930w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-4.jpg?width=2413&name=egregor-4.jpg 2413w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-4.jpg?width=2895&name=egregor-4.jpg 2895w" sizes="(max-width: 965px) 100vw, 965px"><span style="color: #2d3236; font-size: 16px;"><em>Decryption of the Shellcode</em></span></p> <p>After dropping the files needed for the attack, the attackers “prepare the ground” and undertake a final procedure meant to avoid detection and prevention. The attacker creates a Group Policy Object (GPO) to disable Windows Defender and tries to take down any anti-virus products.</p> <h3 style="font-size: 36px;"><span style="color: #2d3236;">Egregor Execution</span></h3> <p>As described above, the operators of Egregor deploy the ransomware payload after collecting the sensitive information and setting the GPO to evade detection and prevention. To deploy the ransomware, they execute the dropped batch file that, as mentioned, is used to download and execute the ransomware payload from a remote server:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-5.png?width=1324&name=egregor-5.png" alt="egregor-5" width="1324" style="width: 1324px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-5.png?width=662&name=egregor-5.png 662w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-5.png?width=1324&name=egregor-5.png 1324w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-5.png?width=1986&name=egregor-5.png 1986w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-5.png?width=2648&name=egregor-5.png 2648w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-5.png?width=3310&name=egregor-5.png 3310w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-5.png?width=3972&name=egregor-5.png 3972w" sizes="(max-width: 1324px) 100vw, 1324px"><span style="color: #2d3236; font-size: 16px;"><em>The content of the batch file</em></span></p> <p>The Egregor payload can only be decrypted if the correct key is provided via command line argument to the Rundll32 process, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided. </p> <p>In order to execute the ransomware and decrypt the blob of code inside of it, the operators provide the batch file with the key “<strong>-passegregor10</strong>” which resolves in the ransomware running and encrypting files:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-6.png?width=1236&name=egregor-6.png" alt="egregor-6" width="1236" style="width: 1236px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-6.png?width=618&name=egregor-6.png 618w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-6.png?width=1236&name=egregor-6.png 1236w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-6.png?width=1854&name=egregor-6.png 1854w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-6.png?width=2472&name=egregor-6.png 2472w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-6.png?width=3090&name=egregor-6.png 3090w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-6.png?width=3708&name=egregor-6.png 3708w" sizes="(max-width: 1236px) 100vw, 1236px"><span style="color: #2d3236; font-size: 16px;"><em>Batch file execution as shown in the Cybereason Defense Platform</em></span></p> <p>The encrypted file names are appended with a string of random characters as the new extension. For example, it renames a file named “My_files.zip” to “My_files.zip.IAsnM”, “My_files2.zip” to “My_files2.zip.WZlF” and so on. Also, the threat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in the figure below: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-7.png?width=1148&name=egregor-7.png" alt="egregor-7" width="1148" style="width: 1148px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-7.png?width=574&name=egregor-7.png 574w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-7.png?width=1148&name=egregor-7.png 1148w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-7.png?width=1722&name=egregor-7.png 1722w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-7.png?width=2296&name=egregor-7.png 2296w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-7.png?width=2870&name=egregor-7.png 2870w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-7.png?width=3444&name=egregor-7.png 3444w" sizes="(max-width: 1148px) 100vw, 1148px"><span style="font-size: 16px;"><em>Encrypted files</em></span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-8.png?width=839&name=egregor-8.png" alt="egregor-8" width="839" style="width: 839px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-8.png?width=420&name=egregor-8.png 420w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-8.png?width=839&name=egregor-8.png 839w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-8.png?width=1259&name=egregor-8.png 1259w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-8.png?width=1678&name=egregor-8.png 1678w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-8.png?width=2098&name=egregor-8.png 2098w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-8.png?width=2517&name=egregor-8.png 2517w" sizes="(max-width: 839px) 100vw, 839px"><span style="font-size: 16px;"><em><span style="color: #859da6;">A message shown the the user</span></em></span></p> <h3 style="font-size: 36px;"><span style="color: #2d3236;">Connection to Sekhmet and Maze</span></h3> <p><span style="color: #1f2e33;">Egregor shares code similarities with Sekhmet ransomware, as well as the notorious Maze ransomware. Besides code similarities, the tree ransomware has a lot in common, including behaviour and characteristics:</span></p> <table style="border-color: #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: none;"> <tbody> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><strong><span style="color: #000000;">Maze</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><strong><span style="color: #000000;">Sekhmet</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><strong><span style="color: #000000;">Egregor</span></strong></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">First seen</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">May 2019</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">March 2020</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">July 2020</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">File type</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">DLL/EXE</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">DLL</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">DLL</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">Encrypted Files Extension</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">Files are appended with random extensions, consisting of random characters</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">Files are appended with random extensions, consisting of random characters</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">Files are appended with random extensions, consisting of random characters</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">Encryption Algorithm</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">ChaCha & RSA</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">ChaCha & RSA</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">ChaCha & RSA</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">Ransom Demand Message file name</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">DECRYPT-FILES.txt</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">RECOVER-FILES.txt</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">RECOVER-FILES.txt</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">Damage</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">Encryption and extortion</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">Encryption and extortion</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">Encryption and extortion</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">Cyber Criminal Contact</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">Tor browser website</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">Tor browser website</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">Tor browser website</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 153.333px; padding: 4px;"> <p><strong><span style="color: #000000;">Website name</span></strong></p> </td> <td style="border: 1pt solid #000000; width: 197.5px; padding: 4px;"> <p><span style="color: #000000;">Maze News</span></p> </td> <td style="border: 1pt solid #000000; width: 196.667px; padding: 4px;"> <p><span style="color: #000000;">Leaks, Leaks, Leaks.</span></p> </td> <td style="border: 1pt solid #000000; width: 205px; padding: 4px;"> <p><span style="color: #000000;">Egregor News</span></p> </td> </tr> </tbody> </table> <p> </p> <p><span style="color: #1f2e33;">Another way to search for the connection between the three is to look at the infrastructure. The IP address </span><a href="https://www.virustotal.com/gui/ip-address/185.238.0.233/relations"><span>185.238.0[.]233</span></a><span style="color: #1f2e33;"> different binaries, Zip files and scripts:</span></p> <p style="line-height: 1; padding-left: 40px;"><span style="color: #1f2e33;">• Maze ransomware binaries</span></p> <p style="line-height: 1; padding-left: 40px;"><span style="color: #1f2e33;">• Egregor ransomware binaries</span></p> <p style="line-height: 1; padding-left: 40px;"><span style="color: #1f2e33;">• Zip files contains the RClone binary and configuration files</span></p> <br> <p><span style="color: #1f2e33;">The IP address is referred to by different scripts including the batch files that download the Egregor payload:</span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-9.png?width=1620&name=egregor-9.png" alt="egregor-9" width="1620" style="width: 1620px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-9.png?width=810&name=egregor-9.png 810w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-9.png?width=1620&name=egregor-9.png 1620w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-9.png?width=2430&name=egregor-9.png 2430w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-9.png?width=3240&name=egregor-9.png 3240w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-9.png?width=4050&name=egregor-9.png 4050w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-9.png?width=4860&name=egregor-9.png 4860w" sizes="(max-width: 1620px) 100vw, 1620px"><span style="color: #2d3236; font-size: 16px;"><em>Chart describing the different samples found on 185.238.0[.]233</em></span></p> <p><span style="color: #1f2e33;">It is also worth mentioning the similarities in the ransom notes of the three. They have a very similar structure, and even some “copy-paste” parts:</span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-10.png?width=767&name=egregor-10.png" alt="egregor-10" width="767" style="width: 767px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-10.png?width=384&name=egregor-10.png 384w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-10.png?width=767&name=egregor-10.png 767w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-10.png?width=1151&name=egregor-10.png 1151w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-10.png?width=1534&name=egregor-10.png 1534w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-10.png?width=1918&name=egregor-10.png 1918w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-10.png?width=2301&name=egregor-10.png 2301w" sizes="(max-width: 767px) 100vw, 767px"><span style="color: #2d3236; font-size: 16px;"><em>Comparison between the three ransomware’s ransom notes</em></span></p> <p>In addition to the Maze and Egregor binaries found on this specific server, other samples were found on the server, related to Prolock ransomware, as analyzed in <a href="https://www.intrinsec.com/egregor-prolock/"><span>this report</span></a>.</p> <h3 style="font-size: 36px;"><span style="color: #2d3236;">Cybereason Detection and Prevention</span></h3> <p><span style="color: #1f2e33;">Cybereason is able to both detect and prevent the execution of Egregor, Sekhmet and Maze using the NGAV component. When the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect the attempt to encrypt files and raise a Malop for it:</span></p> <p style="text-align: center;"><span style="color: #1f2e33;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-11.png?width=514&name=egregor-11.png" alt="egregor-11" width="514" style="width: 514px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-11.png?width=257&name=egregor-11.png 257w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-11.png?width=514&name=egregor-11.png 514w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-11.png?width=771&name=egregor-11.png 771w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-11.png?width=1028&name=egregor-11.png 1028w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-11.png?width=1285&name=egregor-11.png 1285w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-11.png?width=1542&name=egregor-11.png 1542w" sizes="(max-width: 514px) 100vw, 514px"></span><span style="color: #2d3236; font-size: 16px;"></span><span style="color: #1f2e33;"></span><span style="font-size: 16px; color: #2d3236;"><em>Ransomware malop triggered due to the malicious activity</em></span><span style="color: #1f2e33;"></span></p> <p>Using the Anti-Malware feature with the right configuration (listed in the recommendations below), Cybereason will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-12.png?width=977&name=egregor-12.png" alt="egregor-12" width="977" style="width: 977px;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-12.png?width=489&name=egregor-12.png 489w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-12.png?width=977&name=egregor-12.png 977w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-12.png?width=1466&name=egregor-12.png 1466w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-12.png?width=1954&name=egregor-12.png 1954w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-12.png?width=2443&name=egregor-12.png 2443w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-12.png?width=2931&name=egregor-12.png 2931w" sizes="(max-width: 977px) 100vw, 977px"><span style="font-size: 16px;"><em>Anti Malware alert - Disinfecting the b.dll (Egregor payload)</em></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><img src="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-13.png?width=523&name=egregor-13.png" alt="egregor-13" width="523" style="width: 523px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-13.png?width=262&name=egregor-13.png 262w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-13.png?width=523&name=egregor-13.png 523w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-13.png?width=785&name=egregor-13.png 785w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-13.png?width=1046&name=egregor-13.png 1046w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-13.png?width=1308&name=egregor-13.png 1308w, https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/egregor-13.png?width=1569&name=egregor-13.png 1569w" sizes="(max-width: 523px) 100vw, 523px"></em><em>User notification, Blocking the execution of the ransomware in the endpoint</em></span></p> <h3 style="text-align: left;"><span style="font-size: 36px; color: #2d3236;">Indicators of Compromise</span><span style="font-size: 24px; color: #1f2e33;"></span></h3> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #000000; width: 755px; height: 1637px;" width="760" height="2550"> <tbody> <tr style="height: 56.5px;"> <td style="width: 484.156px; height: 57px; background-color: #eeeeee; vertical-align: middle; padding: 4px; border: 1px none #000000;"> <p><span style="color: #0e2438;"><strong>IOC</strong></span></p> </td> <td style="width: 122.5px; height: 57px; background-color: #eeeeee; vertical-align: middle; padding: 4px; border: 1px none #000000;"> <p><span style="color: #0e2438;"><strong>Type</strong></span></p> </td> <td style="width: 147.5px; height: 57px; background-color: #eeeeee; vertical-align: middle; padding: 4px; border: 1px none #000000;"> <p><span style="color: #0e2438;"><strong>Description</strong></span></p> </td> </tr> <tr style="height: 850px;"> <td style="width: 484.156px; height: 850px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">f7bf7cea89c6205d78fa42d735d81c1e5c183041</span></p> <p><span style="color: #1f2e33;">5a346fb957abeba389424dc57636edcacc58b5ba</span></p> <p><span style="color: #1f2e33;">901cee60fba225baf80c976b10dfa1684a73f5ee</span></p> <p><span style="color: #1f2e33;">a6259615ea10c30421e83d20f4a4b5f2c41b45b8</span></p> <p><span style="color: #1f2e33;">03cdec4a0a63a016d0767650cdaf1d4d24669795</span></p> <p><span style="color: #1f2e33;">4ea064f715c2a5f4ed68f57029befd8f406671dd</span></p> <p><span style="color: #1f2e33;">ac634854448eb8fcd3abf49c8f37cd21f4282dde</span></p> <p><span style="color: #1f2e33;">7bc6c2d714e88659b26b6b8ed6681b1f91eef6af</span></p> <p><span style="color: #1f2e33;">0579da0b8bfdfce7ca4a45baf9df7ec23989e28b</span></p> <p><span style="color: #1f2e33;">3a33de9a84bbc76161895178e3d13bcd28f7d8fe</span></p> <p><span style="color: #1f2e33;">f7bf7cea89c6205d78fa42d735d81c1e5c183041</span></p> <p><span style="color: #1f2e33;">986f69a43e0bf174f73139785ec8f969acf5aa55</span></p> <p><span style="color: #1f2e33;">f1603f1ddf52391b16ee9e73e68f5dd405ab06b0</span></p> <p><span style="color: #1f2e33;">5a346fb957abeba389424dc57636edcacc58b5ba</span></p> <p><span style="color: #1f2e33;">901cee60fba225baf80c976b10dfa1684a73f5ee</span></p> <p><span style="color: #1f2e33;">a6259615ea10c30421e83d20f4a4b5f2c41b45b8</span></p> <p><span style="color: #1f2e33;">4ea064f715c2a5f4ed68f57029befd8f406671dd</span></p> </td> <td style="width: 122.5px; height: 850px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">SHA1</span></p> </td> <td style="width: 147.5px; height: 850px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">Egregor DLL</span></p> </td> </tr> <tr style="height: 363px;"> <td style="width: 484.156px; height: 363px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">ac6d919b313bbb18624d26745121fca3e4ae0fd3</span></p> <p><span style="color: #1f2e33;">95aea6b24ed28c6ad13ec8d7a6f62652b039765e</span></p> <p><span style="color: #1f2e33;">a786f383dfb90191aa2ca86ade68ee3e7c088f82</span></p> <p><span style="color: #1f2e33;">631924a3567390a081dbd82072a6fc3a185c5073</span></p> <p><span style="color: #1f2e33;">1be22505a25f14fff1e116fafcaae9452be325b1</span></p> <p><span style="color: #1f2e33;">a2d5700def24c3ae4d41c679e83d93513259ae4a</span></p> </td> <td style="width: 122.5px; height: 363px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">SHA1</span></p> </td> <td style="width: 147.5px; height: 363px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">Egregor batch file</span></p> </td> </tr> <tr style="height: 169px;"> <td style="width: 484.156px; height: 169px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">45.153.242.129</span></p> <p><span style="color: #1f2e33;">185.238.0.233</span></p> <p><span style="color: #1f2e33;">49.12.104.241</span></p> </td> <td style="width: 122.5px; height: 169px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">IPs</span></p> </td> <td style="width: 147.5px; height: 169px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">C2</span></p> </td> </tr> <tr style="height: 112px;"> <td style="width: 484.156px; height: 112px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">34a466a0e55a930d8d7ecd1d6e6c9c750082a5fe</span></p> </td> <td style="width: 122.5px; height: 112px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">SHA1</span></p> </td> <td style="width: 147.5px; height: 112px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">Zip containing RClone</span></p> </td> </tr> <tr style="height: 84.5px;"> <td style="width: 484.156px; height: 85px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">2edaa3dd846b7b73f18fa638f3e1bc3a956affa4</span></p> </td> <td style="width: 122.5px; height: 85px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">SHA1</span></p> </td> <td style="width: 147.5px; height: 85px; padding: 4px; border: 1px none #000000;"> <p><span style="color: #1f2e33;">Encoded PowerShell</span></p> </td> </tr> </tbody> </table> <h3 style="font-size: 36px;"> </h3> <h3 style="font-size: 36px;"><span style="color: #2d3236;">MITRE ATT&CK BREAKDOWN</span></h3> <table style="border-color: #000000; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: none; border-style: solid;"> <tbody> <tr> <td style="border: 0.75pt solid #cccccc; background-color: #eeeeee; width: 61.6667px; vertical-align: middle; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Initial Access</span></strong></span></p> </td> <td style="border: 0.75pt solid #cccccc; background-color: #eeeeee; width: 82.5px; vertical-align: middle; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Privilege Escalation</span></strong></span></p> </td> <td style="border: 0.75pt solid #cccccc; background-color: #eeeeee; vertical-align: middle; width: 131.667px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Defense Evasion</span></strong></span></p> </td> <td style="border: 0.75pt solid #cccccc; background-color: #eeeeee; vertical-align: middle; width: 83.3333px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Command and Control</span></strong></span></p> </td> <td style="border: 1px solid #cccccc; background-color: #eeeeee; vertical-align: middle; width: 140px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Discovery</span></strong></span></p> </td> <td style="border: 0.75pt solid #cccccc; background-color: #eeeeee; vertical-align: middle; width: 87.5px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Lateral Movement</span></strong></span></p> </td> <td style="border: 0.75pt solid #cccccc; background-color: #eeeeee; vertical-align: middle; width: 92.5px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Exfiltration</span></strong></span></p> </td> <td style="border: 0.75pt solid #cccccc; background-color: #eeeeee; width: 73.3333px; vertical-align: middle; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 16px;"><strong><span style="color: #000000;">Impact</span></strong></span></p> </td> </tr> <tr> <td style="border: 1px solid #2D3236; width: 61.6667px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1566/"><strong>Phishing</strong></a></span></p> </td> <td style="width: 82.5px; padding: 4px; border: 1px solid #2D3236; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1078/"><strong>Valid Accounts</strong></a></span></p> </td> <td style="width: 131.667px; padding: 4px; border: 1px solid #2D3236; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1484/"><strong>Group Policy Modification</strong></a></span></p> </td> <td style="width: 83.3333px; padding: 4px; border: 1px solid #2D3236; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1105/"><strong>Ingress Tool Transfer</strong></a></span></p> </td> <td style="width: 140px; padding: 4px; border: 1px solid #2D3236; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1087/"><strong>Account Discovery</strong></a></span></p> </td> <td style="width: 87.5px; padding: 4px; border: 1px solid #2D3236; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1021/"><strong>Remote Services</strong></a></span></p> </td> <td style="width: 92.5px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1567/"><strong>Exfiltration Over Web Service</strong></a></span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 73.3333px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1486/"><strong>Data Encrypted for Impact</strong></a></span></p> </td> </tr> <tr> <td style="border: 0.75pt solid #cccccc; width: 61.6667px; padding: 4px; border-color: #2D3236;"> </td> <td style="border: 0.75pt solid #cccccc; width: 82.5px; padding: 4px; border-color: #2D3236;"> </td> <td style="width: 131.667px; padding: 4px; border: 1px solid #2D3236; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1562/"><strong>Impair Defenses</strong></a></span></p> </td> <td style="width: 83.3333px; padding: 4px; border: 1px solid initial; border-color: #2D3236;"> </td> <td style="border: 0.75pt solid #cccccc; width: 140px; padding: 4px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1482/"><strong>Domain Trust Discovery</strong></a></span></p> </td> <td style="width: 87.5px; padding: 4px; border: 1px solid initial; border-color: #2D3236;"> </td> <td style="border: 0.75pt solid #dfdfdf; width: 92.5px; padding: 4px; border-width: 1px; border-color: #2D3236;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1567/002/"><strong>Exfiltration Over Web Service</strong></a></span></p> </td> <td style="width: 73.3333px; padding: 4px; border: 1px solid initial; border-color: #2D3236;"> </td> </tr> <tr> <td style="border: 0.75pt solid #cccccc; width: 61.6667px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="border: 0.75pt solid #cccccc; width: 82.5px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="width: 131.667px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1562/001/"><strong>Impair Defenses: Disable or Modify Tools</strong></a></span></p> </td> <td style="width: 83.3333px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="border: 0.75pt solid #cccccc; width: 140px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1069/"><strong>Permission Groups Discovery</strong></a></span></p> </td> <td style="width: 87.5px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="width: 92.5px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="border: 0.75pt solid #cccccc; width: 73.3333px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> </tr> <tr> <td style="border: 0.75pt solid #cccccc; width: 61.6667px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="border: 0.75pt solid #cccccc; width: 82.5px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="width: 131.667px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1036/003/"><strong>Masquerading</strong></a></span></p> </td> <td style="width: 83.3333px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="border: 0.75pt solid #cccccc; width: 140px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> <p style="text-align: center;"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1069/001/"><strong>Permission Groups Discovery: Local Groups</strong></a></span></p> </td> <td style="width: 87.5px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="width: 92.5px; padding: 4px; border: 1px solid initial; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> <td style="border: 0.75pt solid #cccccc; width: 73.3333px; padding: 4px; border-color: #2D3236; border-style: solid; border-width: 1px;"> </td> </tr> </tbody> </table></span>    <div class="cr-blog-post__social-sharing"> <span>Share</span> <div id="hs_cos_wrapper_module_161724375084957" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-social_sharing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_social_sharing" data-hs-cos-general-type="widget" data-hs-cos-type="social_sharing"> <a href="https://twitter.com/intent/tweet?original_referer=https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware&utm_medium=social&utm_source=twitter&url=https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware&utm_medium=social&utm_source=twitter&source=tweetbutton&text=" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/twitter-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on twitter"> </a> <a href="http://www.facebook.com/share.php?u=https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware&utm_medium=social&utm_source=facebook" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/facebook-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on facebook"> </a> <a href="http://www.linkedin.com/shareArticle?mini=true&url=https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware&utm_medium=social&utm_source=linkedin" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/linkedin-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on linkedin"> </a> </div></div> </div>  <div class="container columns cr-mln__author-listing-single"> <div class="column headshot is-3-full-hd is-3-desktop is-3-tablet is-12-mobile"> <img class="cr-speaker-headshot" src="https://www.cybereason.com/hubfs/CR_Owl_Web_Mono@3x%202.png" alt="Cybereason Nocturnus"> </div> <div class="column is-9-full-hd is-9-desktop is-12-mobile"> <span class="descriptor">About the Author</span> <h4>Cybereason Nocturnus</h4> <a class="social" href="https://www.linkedin.com/company/cybereason" target="_blank"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/icon-social-gray-linkedin.png"> </a> <a class="social" href="https://twitter.com/cr_nocturnus" target="_blank"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/icon-social-gray-twitter.svg"> </a> <p>The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.</p> <a class="cr-button cr-button__min" href="https://www.cybereason.com/blog/authors/cybereason-nocturnus">All Posts by Cybereason Nocturnus</a> </div> </div>       <div id="hs_cos_wrapper_module_1649342860525315" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/featured-images/anydesk-breach-blog-featured.png" alt="Threat Alert: The Anydesk Breach Aftermath"></a> <h4><a href="https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath"><span class="underline">Threat Alert: The Anydesk Breach Aftermath</span></a></h4> <p>AnyDesk, one of the world’s leading providers of Remote Management and Monitoring (RMM) software, confirmed they had identified a compromise of production systems.</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware"><img src="https://www.cybereason.com/hubfs/Vs%20%283%29.png" alt="Cybereason vs. BlackCat Ransomware"></a> <h4><a href="https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware"><span class="underline">Cybereason vs. BlackCat Ransomware</span></a></h4> <p>BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...</p> </div> </div> </div> </div> </section></div> </div>  <div class="column is-3-fullhd is-3-desktop is-12-mobile cr-malicious-life-network__sidebar"> <div class="cr-ml-sidebar--group"> <div class="top-stripe"></div> <div class="sidebar-block search-section"> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search"> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> <div class="sidebar-block subscribe"> <a href="#blog-subscribe"> <h4>Subscribe</h4> <span>Never miss a blog.</span> </a> </div> <div class="sidebar-block recent-posts"> <h4>Recent Posts</h4> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cybereason-merges-with-trustwave" class="post-name"><span class="underline">Cybereason Merges with Trustwave, Enhances MDR and Consulting Services</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/insourcing-versus-outsourcing" class="post-name"><span class="underline">Insourcing versus Outsourcing</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/unlocking-the-potential-of-ai-in-cybersecurity-embracing-the-future-and-its-complexities" class="post-name"><span class="underline">Unlocking the Potential of AI in Cybersecurity: Embracing the Future and Its Complexities</span></a> </div> </div> </div> <div class="sidebar-block category-listing"> <h4>Categories</h4> <ul> <li><a href="https://www.cybereason.com/blog/category/research">Research</a></li> <li><a href="https://www.cybereason.com/blog/category/podcasts">Podcasts</a></li> <li><a href="https://www.cybereason.com/blog/category/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/blog/category/resources">Resources</a></li> <li><a href="https://www.cybereason.com/blog/category/videos">Videos</a></li> <li><a href="https://www.cybereason.com/blog/category/news">News</a></li> </ul> <a class="rec-category__single--view-all" href="/blog/category/research">All Posts</a> </div> </div> </div> </div> </div> </div></div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="display: none;" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1616011887658867" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/featured-images/anydesk-breach-blog-featured.png" alt="Threat Alert: The Anydesk Breach Aftermath"></a> <h4><a href="https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath"><span class="underline">Threat Alert: The Anydesk Breach Aftermath</span></a></h4> <p>AnyDesk, one of the world’s leading providers of Remote Management and Monitoring (RMM) software, confirmed they had identified a compromise of production systems.</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware"><img src="https://www.cybereason.com/hubfs/Vs%20%283%29.png" alt="Cybereason vs. BlackCat Ransomware"></a> <h4><a href="https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware"><span class="underline">Cybereason vs. BlackCat Ransomware</span></a></h4> <p>BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...</p> </div> </div> </div> </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-3 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_161767462015235" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-mln__blog-listing-page__subscribe-footer"> <div class="container container-is-blog columns page-center"> <div class="column is-8-fullhd is-8-desktop is-10-tablet is-12-mobile"> <span class="tag">NEWSLETTER</span> <h3>Never miss a blog</h3> <p>Get the latest research, expert insights, and security industry news.</p> <a class="cr-button cr-mln__subscribe" href="#blog-subscribe">Subscribe</a> </div>  </div> </div></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-4 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_166508001252918" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-sticky-cta-bar bg-black" id="sticky-bar"> <div class="content"> <span>Want to see the Cybereason Defense Platform in action?</span> <a class="cr-button cr-button__fill-yellow" href="https://www.cybereason.com/request-a-demo" target="_blank">Schedule a Demo</a> </div> <div class="close">X</div> </div></div> </div> </div> </div> </div> </div> <div class="footer-container-wrapper"> <div class="footer-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_16036762394194314" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <footer class="cr-section cr-footer cr-footer__full"> <div class="container page-center"> <div class="columns"> <div class="column is-6-fullhd is-5-desktop cr-footer__col cr-footer__left"> <div class="cr-footer__Left-logo"> <a href="https://www.cybereason.com"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-white.png"> </a> </div> </div> <div class="columns column is-6-fullhd is-6-desktop cr-footer__col cr-footer__right"> <div class="cr-footer__links-list column"> <h4>About</h4> <ul> <li><a href="https://www.cybereason.com/company/who-we-are">Who We Are</a> </li><li><a href="https://www.cybereason.com/company/careers">Careers</a>  </li><li><a href="https://www.cybereason.com/company/contact-us">Contact</a> </li></ul> </div> <div class="cr-footer__links-list column"> <h4>Resources</h4> <ul> <li><a href="https://www.cybereason.com/blog">Blog</a></li> <li><a href="https://www.cybereason.com/resources/tag/case-study">Case Studies</a></li> <li><a href="https://www.cybereason.com/resources/tag/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/resources/tag/white-papers">White Papers</a></li> </ul> </div> <div class="cr-footer__links-list column"> <h4>Platform</h4> <ul> <li><a href="https://www.cybereason.com/platform">Overview</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-prevention">Endpoint Protection</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-detection-response-edr">EDR</a></li> <li><a href="https://www.cybereason.com/platform/managed-detection-response-mdr">MDR</a></li> </ul> </div> </div> </div> </div> <div class="container page-center"> <div class="columns cr-footer__bottom-bar"> <div class="column"> <p>©Cybereason 2024. All Rights Reserved.</p> </div> <div class="column bottom-bar__links"> <ul> <li><a href="https://www.cybereason.com/terms-of-use">Terms of Use</a></li> <li><a href="https://www.cybereason.com/privacy-notice">Privacy Notice</a></li> <li><a href="https://www.cybereason.com/ccpa-privacy-request">Do Not Sell</a></li> <li><a href="https://www.cybereason.com/security">Security</a></li>  </ul> </div> <div class="column bottom-bar__social"> <ul> <li><a class="facebook" href="https://www.facebook.com/Cybereason/"></a></li> <li><a class="twitter" href="https://twitter.com/cybereason"></a></li> <li><a class="youtube" href="https://www.youtube.com/channel/UCOm7AaB0HiNH4Phe66sK0Ew"></a></li> <li><a class="linkedin" href="https://www.linkedin.com/company/cybereason"></a></li> <li><a class="instagram" href="https://www.instagram.com/cybereason"></a></li> </ul> </div> </div> </div> </footer></div> </div> </div> </div> </div> </div>  <script defer src="/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507089303/1644440411417/__CR_Web_Platform/JS/animatedModal/animatedModal.min.js"></script> <script> var hsVars = hsVars || {}; hsVars['language'] = 'en'; </script> <script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386128/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443113/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042213858/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/86933076631/1669911113440/module_86933076631_CR_-_Sticky_CTA_Bar.min.js"></script>  <script type="text/javascript"> var _hsq = _hsq || []; _hsq.push(["setContentType", "blog-post"]); _hsq.push(["setCanonicalUrl", "https:\/\/www.cybereason.com\/blog\/cybereason-vs-egregor-ransomware"]); _hsq.push(["setPageId", "37958624375"]); _hsq.push(["setContentMetadata", { "contentPageId": 37958624375, "legacyPageId": "37958624375", "contentFolderId": null, "contentGroupId": 5272851739, "abTestId": null, "languageVariantId": 37958624375, "languageCode": "en", }]); </script> <script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/3354902.js"></script>  <script type="text/javascript"> var hsVars = { render_id: "e04a4e23-fea6-49a4-b76e-b60d67a14850", ticks: 1732058373046, page_id: 37958624375, content_group_id: 5272851739, portal_id: 3354902, app_hs_base_url: "https://app.hubspot.com", cp_hs_base_url: "https://cp.hubspot.com", language: "en", analytics_page_type: "blog-post", scp_content_type: "", analytics_page_id: "37958624375", category_id: 3, folder_id: 0, is_hubspot_user: false } </script> <script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.354/js/index.js"></script> <script>if ($('[id^="hs_form"]').length > 0) { var myInterval = setInterval( function() { var myFields = document.getElementsByClassName('hs-input'); if (myFields.length > 0) { clearInterval(myInterval); for (var i = 0; i < myFields.length; i++) { var myField = myFields[i]; var myTagName = myField.tagName.toLowerCase(); if (myTagName == 'input' || myTagName == 'textarea') { if (myField.placeholder != null) { myField.placeholder = myField.placeholder.replace('*', ''); } } else if (myTagName == 'select') { myField.options[0].innerHTML = myField.options[0].innerHTML.replace('*', ''); } } } }, 100); } </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_GB/sdk.js#xfbml=1&version=v3.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> <script> function sticky_relocate() { var window_top = $(window).scrollTop(); var div_top = $('#sticky-anchor').offset().top; if (window_top > div_top) { $('#sticky').addClass('stick'); } else { $('#sticky').removeClass('stick'); } } $(function() { $(window).scroll(sticky_relocate); sticky_relocate(); }); </script>  <script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=2122797725" async></script></body></html>