Introduction

Egregor ransomware made its first appearance in 2020 as it was being distributed by phishing emails that has a malicious attachment.
Attacks involving the Egregor ransomware have been frequent and have been recorded to target organisation of medium to large size from many countries including US, Japan, and UK.
There is no decryptor for any of the active variants of the Egregor ransomware and the average ransom required is $700,000 which can be paid via provided Tor chat addresses in the ransomware note.

Modus Operandi

Initial access

The threat actor uses a phishing email with a Microsoft Office word document file which contain a malicious macro script. As soon as the attachment is opened, the macro attempts to run a PowerShell code which attempts to download a banking Trojan like Qbot, icedID or Ursnif. These banking Trojans allows the threat actor to install a Cobalt Strike beacon that will give themself the capability to interact with the system to be download other payloads, collect credentials, disable security measures, and harvest information, for the purpose of lateral movement and privilege escalation.
Then Egregor will communicate to the C&C to download additional payloads. Two files that are downloaded are a batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload and a Zip file that contains an RClone client that is renamed as “svchost”, and RClone config files that are need for exfiltration. To avoid detection and prevention during the installation of Egregor, the threat actor creates a Group Policy Object (GPO) to disable Windows Defender and then attempts to take down any third-party antivirus software.