Hi, I'm Your Ransomware Chat Support

Unsecured Egregor Chat Support Logs

with Ransomware Victims:

Insights and Analysis by IBM and Cylera

INTRODUCTION

IBM Security X-Force Threat Intelligence analysts, together with Cylera, an IoT and medical device security intelligence company that works with IBM Security to deliver IoMT solutions, have obtained hours of chat correspondence that occurred in December 2020 between the notorious Egregor ransomware actors, responsible for millions of losses globally, and victim organizations. The activity uncovered in these chat transcripts provides valuable insight into how some ransomware actors operate – from how they conduct ransom payment negotiations to the strategies and operational structure utilized.

Although law enforcement took action against Egregor operations in February 2021, this discovery provides the following insightful takeaways[1]:

• Ransom Amount – Initial ransom amounts ranged from $100 thousand to $35 million. The average initial ransom demanded was $5 million. During one negotiation, the threat actors indicated that their initial ransom demand is 5-10% of the potential estimated loss associated with a data leak.
• Ransom Negotiations – Several factors played a role in determining the final negotiated ransom or data leak outcome to include the operators' perceived victim's ability and willingness to pay as well as the victim's negotiation strategies such as buying time.
• Operational Structure – The chats reveal a highly sophisticated organized crime group was behind Egregor operations. Numerous roles or teams were mentioned including the financial department, data manager, attackers/IT specialists, PR manager, publications manager, and decryption tool master-maker.
• Compassion with a catch – X-Force researchers maintain the operators of ransomware like Egregor are nefarious actors. However, the chat logs revealed a few glimpses of what could be perceived as empathy or practical consideration. During one negotiation, Egregor offered to provide the decryption key, in exchange for the organization publicly announcing that the group does not intentionally target hospitals or charities. In a chat with another victim, the threat actors discuss the hardships of COVID-19, even wishing the victim happy holidays.

WHAT IS EGREGOR?

Egregor ransomware was first reported publicly in mid-2020, making it a relatively new entry in the criminal economy. Egregor operated on an affiliate model, meaning a small group of actors run and maintain the Egregor code base and other actors purchase access to Egregor to use on systems they infect, also known as ransomware as a service (RaaS). Many security analysts speculated that Egregor was the follow up to Maze ransomware after those threat actors declared retirement in November 2020, pointing to significant technical overlap between the two ransomware families.[2] Egregor gained significant recognition as affiliates shifted from Maze to using this new ransomware family and similarly leaked stolen information from impacted organizations in efforts to collect money.[3]

The impact of Egregor ransomware has been felt worldwide, with an estimated gain of $80 million dollars in profit through their operations against at least 150 organizations.[4] Regarding victims, the highest number of reported cases was in the United States with infections clustered primarily within the manufacturing and retail industries.[5]  Some of the larger targets have included Barnes and Noble, Randstad, French logistics firm Gefco, and video game companies Ubisoft and Crytek.  In February 2021, a joint French and Ukrainian law enforcement operation disrupted Egregor infrastructure and arrested Multiple Egregor associates.[6]  As of this publication, X-Force researchers are not aware of active Egregor intrusions.

WHAT'S IN A RANSOM?

Upon initial contact with victims, X-Force and Cylera analysts observed Egregor ransomware actors making an initial demand for a ransom payment depending on the victim and their perceived ability to pay. Analysis of approximately 50 ransom negotiations in Egregor chat logs from December 2020 show that ransom demands varied wildly.

How each ransom amount was determined was likely a judgement based on a combination of publicly available information about the victim along with what the operators perceived the victim could afford to pay. Ultimately, researchers observed the threat actors appeared to strike a balance between a victim's ability and willingness to pay while considering multiple additional factors.

In one negotiation, Egregor actors gave the victim organization an initial ransom demand of $1.7 million.  Through some negotiating by the victim, explaining they were a small company, Egregor operators decreased the ransom to $1 million. In another example, Egregor operators alluded to using an analyst associated with Egregor operations to estimate a victim's total loss due to data leak. The attacker's comments indicate that the initial ransom demand is 5-10% of that estimated loss.

In another example, a victim pleads with the attackers for a lower ransom price due to the inability to pay as a result of COVID pandemic related hardships. The Egregor actors demanded proof from the victim that they were experiencing financial hardships, even going as far as requesting information from the IRS.

BUYING TIME: VICTIM STRATEGY

Deciding if to pay and negotiating with the attackers is hotly contested in the security community. Our review of the Egregor chat logs provides some insight into what mitigation or ransom reduction techniques could be effective if faced with a ransomware incident.

Specifically, in some cases, victims explained the size of their business with Egregor actors which resulted in lower ransom demands.  In other instances, analysts observed victims explaining the process for acquiring money to pay the ransom which extended the time before the actors leaked information about the compromised organization.

Both paying a ransom and deciding not to pay carry consequences. We encourage organizations to review X-Force's The Definitive Guide to Ransomware which lists the main topics companies should consider when deciding to pay a ransom.

ORGANIZED CYBER CRIME

While parsing through multiple conversations, X-Force and Cylera analysts noticed a variety of different roles commonly alluded to during the negotiation process. Egregor negotiators refer to themselves as members of the support team. During discussions, they refer to other teams including the financial department, data manager, attackers/IT specialists, PR manager, publications manager, and decryption tool master-maker.

OPERATORS WITH A HEART?

Despite the intention of stealing millions of dollars from victims, the attackers have backed off from their demands in some circumstances if they believe they can receive positive press for doing so. In one instance, Cylera researchers and X-Force analysts observed negotiations between Egregor and a charity.  After a long conversation between the victim organization and Egregor operators, Egregor offered to provide the decryption key, asking that the organization publicly announce that the group does not intentionally target hospitals or charities.

In another ransom negotiation, the victim, a small US dental practice, and Egregor support are discussing the hardships of 2020, specifically COVID19.

KEY TAKEAWAYS

Despite the holiday wishes and reduced ransom in some instances, the December 2020 chat logs obtained by Cylera and X-Force demonstrate Egregor was a successful, ruthless criminal operation. Although the threat actors have ceased from using the Egregor ransomware family since the law enforcement activity in February 2021, X-Force and Cylera analysts believe new ransomware families will emerge in its place and that ransomware will continue to be the top threat to organizations globally as this threat has continued to grow year over year.[7] Yet, even in these difficult situations, there are actions companies can take that can help mitigate risks and minimize damage:

• Establish and maintain offline backups. Ensure you have files safely stored from attacker accessibility with read-only access. Also consider the use of offsite/cold storage solutions. The availability of backup files is a significant differentiator for organizations that can help recover from a ransomware attack.
• Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse. Consider blocking outbound traffic to unapproved cloud hosting services.
• Employ user and entity behavior analytics to identify potential security incidents.When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.
• Employ multifactor authentication on all remote access points into an enterprise network — with particular care given to secure or disable remote desktop protocol (RDP) access. Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.
• Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching. In particular, we recommend implementing mitigations for CVE-2019-19781, which multiple threat actors have used to gain initial entry into enterprises in 2020 and 2021 — including for ransomware attacks. In addition, consider prioritizing the immediate remediation, as applicable, of the following frequently exploited software vulnerabilities:
  • CVE-2019-2725
  • CVE-2020-2021
  • CVE-2020-5902
  • CVE-2018-8453

• VPN-related CVEs
  • CVE-2019-11510
  • CVE-2019-11539
  • CVE-2018-13379
  • CVE-2019-18935
  • CVE-2021-22893

For a demo or more information on Cylera's unique and patented capabilities to secure IoT, OT, and IoMT email us at demo@cylera.com, info@cylera.com, or partners@cylera.com

Check out these related Articles:

• Cylera Platform Datasheet
• HIPAA-Protected Malware: Exploiting DICOM Flaw to Embed Malware in CT/MRI Imagery
• Combating Ransomware is a National Priority: CISA Director Testifies

________________________________

[1] Leclere, Emmanuel. “Cybersécurité : des pirates "Egregor", à l'origine de l'attaque contre Ouest-France, interpellés en Ukraine” 12 Feb 2021. https://www.franceinter.fr/amp/justice/cybersecurite-des-pirates-egregor-a-l-origine-de-l-attaque-contre-ouest-france-interpelles-en-ukraine

[2] Gallager, Sean. “Egregor ransomware: Maze's heir apparent.” 8 December 2020.  https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/

[3] Abrams, Lawrence. “Maze is shutting down its cybercrime operation.” 29 Oct 2020. https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/

[4] Barth, Bradley. “The Egregor takedown: New tactics to battle ransomware groups show promise.” 18 February 2021.  https://www.scmagazine.com/home/security-news/ransomware/the-egregor-takedown-new-tactics-to-take-down-ransomware-groups-show-promise/

[5] Kost, Edward. “What is Egregor ransomware? The new threat of 2020.” 16 Dec 2020. https://www.upguard.com/blog/what-is-egregor-ransomware

[6] Leclere, Emmanuel. “Cybersécurité : des pirates "Egregor", à l'origine de l'attaque contre Ouest-France, interpellés en Ukraine” 12 Feb 2021. https://www.franceinter.fr/amp/justice/cybersecurite-des-pirates-egregor-a-l-origine-de-l-attaque-contre-ouest-france-interpelles-en-ukraine

[7] IBM X-Force. “IBM X-Force 2021 Threat Index” <date> https://www.ibm.com/downloads/cas/M1X3B7QG