The recent surge in Egregor ransomware activity inspired Palo Alto’s Unit 42 to create a full visualization of the techniques used by the attack group and the relevant courses of action security teams can take to respond.
In the Unit 42 ATOM Viewer, security pros can view in a table what tactics the attackers used, then click on a chart to see what to enable on a Palo Alto firewall. Companies that don’t use Palo Alto firewalls can map the information from the Viewer to the MITRE ATT&CK framework.
Jen Miller-Osborn, deputy director of threat intelligence at Unit 42, said organizations should also be aware of and monitor the use of commodity malware such as Qakbot, IcedID and Ursnif that could end up delivering Egregor ransomware as a second-stage payload.
Since it was first discovered in September 2020, Egregor has hit multiple industries globally, including those within the U.S., Europe, Asia Pacific and Latin America. In North America, some of Egregor’s more high-profile attacks have included Barnes and Noble, Kmart and even led to a shutdown of the Vancouver metro last week.
Egregor holds many similarities to the supposedly shutdown Maze strain, in part because both were derived from the Sekhmet ransomware family. That's led to some debate within the research community about whether they are in fact one in the same. Miller-Osborn said while affiliates who utilized the Maze ransomware to conduct their activities now appear to have likely moved on to Egregor to avoid disrupting their operations, there’s no definitive proof that the Maze gang simply reformed as Egregor.