QakBot operators abandon ProLock for Egregor ransomware

Group-IB has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware. Egregor has been actively distributed since September 2020 and has so far hit at least 69 big companies in 16 countries. The biggest ransom demand detected by Group-IB team has been at $4 million worth of BTC.

Egregor ransomware

During recent incident response engagements Group-IB DFIR (Digital Forensics and Incident Response) team has noticed a significant change in QakBot operators’ tactics, the gang started to deploy a new Egregor ransomware family.

This ransomware strain emerged in September 2020, but the threat actors behind already managed to lock quite big companies, such as game developers Crytek, booksellers Barnes & Noble, and most recently a retail giant Cencosud from Chile.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators, whose campaigns have been described in Group-IB blog post in May.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock.

Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe. Hence, all of the above considered, Group-IB experts assess it’s very likely that QakBot operators have switched from ProLock to Egregor ransomware.

Geography and victims

The gang behind Egregor followed in Maze’s footsteps, who called it quits not long ago. Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand registered by the Group-IB team so far was at $4 million worth of BTC.

In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Inside Egregor

While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you don’t have command-line arguments provided by the attacker. Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

“Tactics, techniques and procedures observed are very similar to those seen in the past Qakbot’s Big Game Hunting operations,” said Oleg Skulkin, senior DFIR analyst at Group-IB.

“At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates”.

Don't miss