Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
EGREGOR ransomware – a deep dive into its activities and techniques
Message
<blockquote data-quote="Andy Ful" data-source="post: 912626" data-attributes="member: 32260"><p>"One of the most active ransomware groups, Egregor is part of the Sekhmet malware family that has been active since mid-September 2020. Like most other Ransomware groups, it targets organizations across the world. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and finally demanding ransom in exchange of decrypted documents."</p><p>....</p><p></p><p>"Allegedly, 52 companies have been breached by the threat actor till today (as of October 30, 2020), from GEFCO group being among the first ones to the more recently affected organizations such as Crytek, Ubisoft, Foxtons Group, and Barnes & Noble."</p><p></p><p>....</p><p></p><p>[ATTACH=full]248570[/ATTACH]</p><p></p><p>...</p><p></p><p>"The Egregor Ransomware family shares functionalities of other ransomware actors like Clop Ransomware. As per the intelligence analysis, the threat actor has a possible link to <a href="https://twitter.com/hashtag/TinyMet?src=hashtag_click" target="_blank">TinyMet</a> <a href="https://twitter.com/hashtag/Payload?src=hashtag_click" target="_blank">Payload</a> v0.2 which was used by Clop Ransomware as a precursor for the TA505 Post-Exploitation Operation. The malware hosting server has been traced back and identified to the server with IP 49.12.104[.]241 and located in Germany, as shown in the figure below.</p><p></p><p>[ATTACH=full]248571[/ATTACH]</p><p></p><p>The ransomware possesses multiple anti-analysis techniques such as code obfuscation and packed payloads."</p><p></p><p>...</p><p></p><p>"Unfortunately, there are no third-party tools that can decrypt files encrypted by this threat actor considering that the user needs a private key from the hacker server to decrypt the files. The cyber criminals behind this ransomware are the only ones with the decryption software and key."</p><p></p><p>Look at the below article for more details:</p><p>[URL unfurl="true"]https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/[/URL]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 912626, member: 32260"] "One of the most active ransomware groups, Egregor is part of the Sekhmet malware family that has been active since mid-September 2020. Like most other Ransomware groups, it targets organizations across the world. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and finally demanding ransom in exchange of decrypted documents." .... "Allegedly, 52 companies have been breached by the threat actor till today (as of October 30, 2020), from GEFCO group being among the first ones to the more recently affected organizations such as Crytek, Ubisoft, Foxtons Group, and Barnes & Noble." .... [ATTACH type="full"]248570[/ATTACH] ... "The Egregor Ransomware family shares functionalities of other ransomware actors like Clop Ransomware. As per the intelligence analysis, the threat actor has a possible link to [URL='https://twitter.com/hashtag/TinyMet?src=hashtag_click']TinyMet[/URL] [URL='https://twitter.com/hashtag/Payload?src=hashtag_click']Payload[/URL] v0.2 which was used by Clop Ransomware as a precursor for the TA505 Post-Exploitation Operation. The malware hosting server has been traced back and identified to the server with IP 49.12.104[.]241 and located in Germany, as shown in the figure below. [ATTACH type="full"]248571[/ATTACH] The ransomware possesses multiple anti-analysis techniques such as code obfuscation and packed payloads." ... "Unfortunately, there are no third-party tools that can decrypt files encrypted by this threat actor considering that the user needs a private key from the hacker server to decrypt the files. The cyber criminals behind this ransomware are the only ones with the decryption software and key." Look at the below article for more details: [URL unfurl="true"]https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
