MCP Insights

Cybersecurity Threat Advisory: Egregor Ransomware

Posted on December 10, 2020 by Mike Beagles

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week, there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory Overview

The ransomware-as-a-service variant “Egregor” is spiking across the cybersecurity and information technology (IT) landscape after the shutdown of the notorious Maze ransomware campaign. Some major organizations have fallen victim to the malware, including Kmart, Cencosud (a retail giant in South America), Randstad NV (the world’s largest staffing company and owner of, and Translink (Vancouver’s bus and rail transportation system).

The ransomware has been seen hijacking printers and repeatedly printing the ransom note. In the case of retail organizations, the ransom note has been printing on consumers’ receipts at checkout. Mission Critical Partners recommends deploying advanced endpoint protection to block ransomware pre-execution.

Technical Detail and Additional Information

What is the threat?

A new ransomware malware that appeared in September 2020 has taken largescale public sector and private sector organizations hostage. The Egregor ransomware recently infected numerous companies within the last month and is demanding payment for the compromised data. Sources have confirmed that many threat actors have moved to Egregor as their malware of choice since the Maze ransomware operation shut down, and attacks have been on a steady rise.

Why is this noteworthy?

The Egregor ransomware was first seen in September 2020, and since the initial sighting, the malware has been confirmed to have successfully impacted several well-known entities. Aside from the surge of infections, the Egregor ransomware variant takes a slightly more devious approach than other types of ransomware. In addition to stealing files, launching an encryption operation, and extorting the victim, the malware can flex its virtual muscles by “print bombing” the ransom note through attached printers, providing further evidence that the systems are breached.

What is the exposure?

An agency’s exposure to a ransomware attack varies greatly based on numerous variables; however, the overwhelming majority of ransomware attacks are initiated via phishing emails that contain a malicious payload, typically in the form of Word, Excel, Google, or DocuSign documents. Continuously training employees regarding how to recognize and report suspicious activities is key to protecting the company from a cyberattack. Once the malicious attachment has been opened, a commodity malware tool, such as Qbot, Ursnif, or IcedID, is downloaded along with CobaltStrike, a popular reconnaissance and lateral movement tool. After CobaltStrike is deployed, the threat actor can gain full access to the network within minutes.

What are the recommendations?

The current recommendations to mitigate the impact of a potential ransomware attack are as follows:

  • Ensure that endpoint protection software is up to date with the latest artificial intelligence (AI) functionalities and malware signatures.
  • Back up your data on a consistent basis.
  • It is a best practice to perform backup restorations periodically in a test environment to ensure that the backup process is functional. Also, ensure that the restoration process is solidified and documented in preparation of a real incident that requires restoration.
  • Ensure that data is being stored and transferred securely, following security best practices.
    • Examples of this include full disk encryption for data at rest, proper security measures for data in the cloud, and utilizing secure encryption protocols for data in transit.
  • Continuous training of employees to ensure that they recognize and report phishing emails.
  • Employees typically are hesitant to report suspicious emails, especially those with which they have interacted, due to fear of being reprimanded for being “the person who compromised the company.” It is imperative that employees understand that it is in their best interest to report the email and to err on the side of caution.

For more in-depth information about the recommendations, please visit the following links:

Mike Beagles has specialized experience with supporting mission critical communications agencies by providing technical expertise, strategic IT planning, and architecting both on-prem and shared systems for new and innovative technologies as well as legacy solutions. He currently manages the platform and suite of tools used to deliver MCP network and cybersecurity monitoring to our clientele.

Subscribe to Newsletter