Last week it was confirmed that the multinational Cencosud would have
been affected by a new ransomware called Egregor. As indicated in the
Social networks This attack would have affected the conglomerate's stores in the
Valparaiso Region (Chile) and in several South American countries, even Argentina.
The ransom note was apparently printed in one of its supermarkets in the
chain around the 20 Friday hours of last week.
According to an analysis by Appgate, Ransomware carries
Since September of this active year, In this short time the
ransomware to various attacks against organizations such as GEFCO, Ubisoft, Crytek and
Barnes & Noble. According to researchers, Many of the ransomware affiliates
Maze have moved into this new family since the cessation of activities of
Maze on 1 November.
Customers can access malware using a
subscription, this type of ransomware is known as Ransomware-as-a-Service
(RaaS). The modus operandi of ransomware is the usual one where once the victim
has been infected and your files have been encrypted, Cybercriminals leave
a ransom note on the victim's systems or some other method where
the victim can read the note, In this note you indicate to the victim that you have a
Time period to contact the cybercriminal group, to
via Tor browser. In addition, The ransom note indicates the victim
that if the payment were not made, the consequences would be to make the data public
Stolen.
Egror registered two domains, one on 6 September 2020
and the second the 19 of October 2020, In addition, of a .onion domain. The
domains that this group has are intermittent and that is why in the
domain Onion home page, There is a great disclaimer with
A notice.
In the ransom note, in addition to indicating that the
encrypted files, It will also be recommended to the company that has been a victim
Some recommendations to protect the network, acting in this way as a
Pentest Team.
Egregor uses an anti-obfuscation and packaging technique
to avoid the analysis of the ransomware itself. This functionality is very
similar to Sekhmet's, where the ransomware payload can only be
decrypted if the correct key is provided by command line, this
means that it cannot be analyzed.
In terms of negotiation Egregor is possibly the most
Aggressive in terms of negotiation. In this case you are given
alone 72 hours to the victim to make contact with the actor of the
threat. In case of not making the contact in the time stipulated in the note
Rescue, The group processes the victim's data for publication. The
Payment is made through a special chat that is assigned to each victim and the
Payment is received in bitcoins.