Digital lock on a chip board.

Ankura Cyber Threat Intelligence Bulletin

November 30, 2020

Observations

Over the past thirty (30) days, the Ankura Cybersecurity team has responded to dozens of matters attributed to a broad spectrum of threat groups. Threat actors continue to target vulnerable organizations and successfully harvest intellectual property and other valuable information. Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) has noted a slight increase in ransomware cases and a marked surge in Microsoft Office 365 compromises. Our clients, and the general landscape, are experiencing an intensification of adversarial activity as 2020 rapidly comes to an end, and we expect this trend to continue as we all look to 2021 with an air of uncertainty.

Ankura’s Incident Response and Investigations teams have served clients impacted by various ransomware variants, large-scale Office 365 breaches, and focused intrusions targeting critical infrastructure. These clients include local municipalities, financial firms, insurance entities, and victims in the manufacturing sector. Ankura’s CTAPT maintains a portfolio of backstopped and “covert” personas specifically purposed to gain access and collect proactive and emerging intelligence from where threat actors operate and market their wares. When Ankura’s CTAPT detected a tactic shift, they collected and analyzed notable threat activity related to the “retirement” of the Maze cartel and the emergence of the “Egregor” ransomware group.

The sections that follow provide high level overviews of issues Ankura is tracking and includes some late-breaking Indicators of Compromise (IOC) that may be of use:

Maze Retirement

According to their “official” dark web site, actors associated with Maze announced the group’s retirement on November 1, 2020. The post began by confirming the “project” is closed and that any threat actor or link that claims to contribute or redirect to Maze should be considered a scam. The post seeks to clarify that a “Maze cartel” never existed and that Maze did not partner or designate official successors.

Figure 1: Headline of “retirement” post


Figure 2: Instructions for unresolved victims

The timing of the “retirement” announcement is certainly interesting, considering last month’s guidance from OFAC on paying ransoms to individuals linked to hostile foreign governments. However, Maze actors cited different reasons as to why the group was shutting down its operations:

Figure 3: Maze actors address questions on why they are retiring

According to the post, the Maze Project was started to raise awareness of existing data security issues and warns there will be many more projects like Maze. Furthermore, Maze indicates that they can easily gain access to critical systems like water, gas, electricity, and internet providers and launch a single attack that would essentially cut off access to these vital services. While Ankura cannot confirm or deny these allegations, analysis has determined that it is possible that actors previously associated with Maze may now be providing support to a newly formed group called “Egregor”.

Introduction to Egregor

Many in the cybersecurity discipline speculate that several of Maze’s affiliates are now affiliated with a newer ransomware variant known as Egregor. Most agree Egregor is a spinoff of the Sekhmet family of malware. Egregor ransomware renders the victim’s system(s) unusable until a determined ransom is paid. In addition to encrypting files, Egregor follows the Ransomware-as-a-Service (RaaS) model, giving the victim up to three days to pay the ransom before leaking parts of the stolen data and going to the media about the breach. Victims can find a ransom note titled “RECOVER-FILES.txt” which contains instructions on how to contact the threat actors and which steps to take next.

Figure 4: Screenshot of ransom note

Egregor first became active mid-September 2020, around the same time that Maze operations began to cease. Within this timeframe, Egregor has already claimed to have successfully compromised several large organizations in the e-commerce, video games, and software industries.

Figure 5: Screenshot of Egregor’s Victim site

In addition to using the RaaS model, Egregor uses a whole range of anti-obfuscation techniques and payload packing to prevent malware analysis. Since the Egregor ransomware is a variant of Sekhmet, its payload can only be decrypted once the correct key is entered within the process’ command line. This prevents the file from being analyzed, either manually or using a sandbox. The screenshots below were taken from Any.Run sandbox public submissions that show the prompt for the decryption password, which is unique for this infected system.

Figure 6: Screenshot showing specimen querying for decryption password

When a correct command line argument is passed, the payload injects an iexplore.exe process to encrypt text files and documents on the infected machine. The malware also checks for LogMeIn event logs and other log sources indicating that it actively searches for remotely connected machines or servers in an attempt to encrypt those sources as well.

Since the Egregor ransomware requires a unique private key from the threat actor’s server, there are no known existing tools that can decrypt the locked files. Currently, the threat actors seem to be focusing on targeting a variety of companies, such as online gaming, retailers, European automotive, book outlets, and more. However, as additional actors previously associated with Maze join Egregor, Ankura anticipates that targeting will expand significantly.

Resurgence of Ransom Denial of Service (RDoS)

As more organizations employ proactive measures to ensure that endpoints are hardened against ransomware campaigns, threat actors are once again turning their attention to the networks and edge systems used by these organizations. The tactics, techniques, and procedures (TTPs) associated with these campaigns are quite simple: the threat actor(s) send a ransom note demanding that the organization pay a large sum worth of cryptocurrency within a certain timeframe, typically a few days. If the demands of the ransom are not paid, the actors then begin flooding the victim’s network with packets, averaging around 800 million per second.

According to the FBI, multiple organizations hit by RDoS campaigns have reported small-sized demo attacks after receiving the ransom notes but, in most cases, they were not followed by Distributed Denial of Service (DDoS) activity after the six-day deadline expired. However, several organizations did report their operations were impacted by these “demo attacks” which peaked around 200 Gb/sec and leveraged a combination of SNMP, SYN, and DBS floods. Unfortunately, for many organizations, there is not a proven way to defend against these types of campaigns once adversarial traffic reaches the organization’s network, since these campaigns must be fought further upstream and away from the victim’s network.

If your organization is faced with a ransom threat that suggests non-payment will result in a Denial of Service attack, seek to work with your internet service provider (ISP), law enforcement, and if needed, a third-party that can help respond and mitigate this type of event. For example, engaging an upstream ISP can help to mitigate malicious User Datagram Protocol (UDP) traffic while working with law enforcement and third-party networking providers can prevent the attackers from leveraging certain IP addresses in the future.