July 21, 2021 | By Chris Caridi co-authored by Allison Wikoff | 8 min read

Ransomware attacks are topping the charts as the most common attack type to target organizations with a constant drumbeat of attacks impacting industries across the board. In fact, IBM Security X-Force has seen a more than 10% increase in ransomware incident response requests compared to this time last year.

Ransomware is well on its way toward becoming a global billion-dollar enterprise – one that victims are funding. Attackers are operating like a well-oiled business industry, yielding high profits in a year that most businesses struggled. Why? The new ransomware business model is relentless, extortive and paying off.

IBM Security X-Force Threat Intelligence analysts, together with Cylera, an IoT and medical device security intelligence company that works with IBM Security to deliver IoMT solutions, have obtained and analyzed hours of chat correspondence and negotiations that occurred in December 2020 between the notorious Egregor ransomware actors, responsible for upwards of $80 million dollars in losses globally. The chat correspondence had negotiations with approximately 40 victim organizations they chatted with. The activity uncovered in these chat transcripts provides valuable insight into how some ransomware actors operate – from how they conduct ransom payment negotiations, to the strategies and operational structure they used.

Although law enforcement took action against Egregor operations in February 2021, this discovery provides the following insightful takeaways:

  • Defining the Ransom Demand – Initial ransom amounts ranged from $100,000 to $35 million. The average initial ransom demanded was $5 million. During one negotiation, the threat actors indicated that their initial ransom demand is 5-10% of the potential estimated loss associated with a data leak.
  • Ransom Negotiations – Several factors played a role in determining the final negotiated ransom amount or data leak outcome, including the operators’ perception of the victim’s ability and willingness to pay as well as the victim’s negotiation strategies such as attempting to buy time and delay the payment.
  • Operational Structure – The chats reveal a highly sophisticated organized crime group was behind Egregor operations. Numerous roles or teams were mentioned including the financial department, data manager, attackers/IT specialists, PR manager, publications manager and decryption tool master-maker.
  • Compassion with a Catch – X-Force researchers maintain the operators of ransomware like Egregor are nefarious actors. However, the chat logs revealed a few glimpses of what could be perceived as empathy or practical consideration. During one negotiation, Egregor offered to provide the decryption key, in exchange for the organization publicly announcing that the group does not intentionally target hospitals or charities. In a chat with another victim, the threat actors discuss the hardships of COVID-19, even wishing the victim happy holidays.

What is ‘Egregor’?

The Egregor ransomware was first reported publicly in mid-2020, making it a relatively new entry into the criminal economy. Egregor operators work through an affiliate model, meaning a small group of actors run and maintain the Egregor code base and other actors purchase access to Egregor and use the malware on systems they infect. This model is best known as Ransomware as A Service (RaaS).

Many security analysts speculated that Egregor was the follow-up to the Maze ransomware, pointing to significant technical overlap between the two ransomware families after Maze’s threat actors declared retirement in November 2020. Egregor gained significant recognition in 2021 as affiliates shifted from Maze to using this new ransomware family and leaked stolen information from impacted organizations, extorting them in efforts to collect a ransom.

The impact of Egregor ransomware has been felt worldwide with an estimated $80 million dollars in profit through their operations against at least 150 organizations. Regarding victims, the highest number of reported cases was in the United States with infections clustered primarily within the manufacturing and retail industries.  Some of the larger targets have included Barnes and Noble, Randstad, French logistics firm Gefco and video game companies Ubisoft and Crytek.

In February 2021, a joint French and Ukrainian law enforcement operation disrupted Egregor’s infrastructure and arrested multiple Egregor associates.  As of the time of this publication, X-Force researchers are not aware of active Egregor intrusions.

What’s in a Ransom?

After reviewing elaborate chat logs between Egregor actors and representatives from victimized organizations, we obtained interesting insights about how the ransom amount was fixed and the overall negotiation process. In a common flow of events, upon initial contact with victims, X-Force and Cylera analysts observed Egregor ransomware actors making an initial demand for a ransom payment that depended on the victim and their perceived ability to pay.

Analysis of approximately 50 ransom negotiations in Egregor chat logs from December 2020 shows that ransom demands varied wildly.

Average initial ransom demand$5,024,000
Average ransom payment$387,700
Highest initial ransom demand$35,000,000
Lowest initial ransom demand$100,000
Sum of all ransom demands$226,080,000

Figure 1: Egregor ransom demands and average ransom payment, in U.S. dollars, December 2020 (Source: IBM X-Force/Cylera)

How each ransom amount was determined was likely a judgment call based on a combination of publicly available information about the victim along with what the operators perceived the victim could afford to pay.

Ultimately, researchers observed that the threat actors appeared to strike a balance between a victim’s ability and willingness to pay while considering multiple additional factors. In one negotiation, Egregor actors gave the victim organization an initial ransom demand of $1.7 million. Through some negotiating by the victim, explaining they were a small company, Egregor operators decreased the ransom to $1 million.

In another example, Egregor operators alluded to using an analyst associated with Egregor operations to estimate a victim’s total loss if they were to forego paying the ransom and instead suffer a data leak. The attacker’s comments indicate that the initial ransom demand is 5-10% of that estimated loss.

, This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered, The Cyber Post

In another example, a victim pleads with the attackers for a lower ransom price due to the inability to pay as a result of COVID-19 pandemic-related hardships. The Egregor actors demanded proof from the victim that they were experiencing financial hardships, even going as far as requesting information from the IRS.

, This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered, The Cyber Post

Buying Time: A Victim’s Strategy

Deciding whether to pay and negotiating with the attackers is a hotly contested endeavor in the security community. Both paying a ransom or deciding not to pay carry consequences. We encourage organizations to review X-Force’s Definitive Guide to Ransomware, which lists the main topics companies should consider when the question arises as to whether they should pay a ransom.

Our review of the Egregor chat logs provides some insight into what mitigation or ransom reduction techniques could be effective if one is ever faced with a ransomware incident:

  • Using company size to discount the ransom: In some cases, victims explained the size of their business with Egregor actors, which resulted in lower ransom demands.
  • Getting money and cryptocurrency takes time: In other instances, analysts observed victims explaining the process for acquiring money to pay the ransom, which extended the time before the actors leaked information about the compromised organization.
, This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered, The Cyber Post

Well-Organized Organized Cybercrime

While parsing through multiple conversations, X-Force and Cylera analysts noticed a variety of roles the threat actors alluded to during the negotiation process.

Egregor negotiators referred to themselves as “members of the support team” who only get a fixed salary and fear being fired. During discussions, they referred to other teams, including the financial department, data manager, attackers/IT specialists, PR manager, publications manager, and decryption tool master-maker.

, This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered, The Cyber Post

Operators with a Heart?

Despite the intention of stealing millions of dollars from victims, the attackers have backed off from their demands in some circumstances if they believed they could receive positive press for doing so.

In one instance, X-Force and Cylera analysts observed negotiations between Egregor and a charity.  After a long conversation between the victim organization and Egregor operators, Egregor offered to provide the decryption key, asking that the organization publicly announce that the group does not intentionally target hospitals or charities.

, This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered, The Cyber Post

In another ransom negotiation, the victim, a small U.S. dental practice, and Egregor support are discussing the hardships of 2020, specifically COVID-19.

Key Takeaways

Despite the holiday wishes and reduced ransom in some instances, the December 2020 chat logs obtained by X-Force and Cylera demonstrate that many Egregor attacks were a successful, ruthless criminal operation. Although the threat actors have ceased from using the Egregor ransomware family specifically, and only since the law enforcement activity in February 2021, X-Force analysts believe that a new infrastructure can be mounted and the same code can be used again in its original form or as modified code. Moreover, with these attacks yielding extremely high profits for those residing in less prosperous parts of the world, new ransomware families and gangs will continue to emerge and may take Egregor’s place in the near future.

Ransomware attacks continue to be the top threat to organizations globally as this threat grows and expands its reach year over year. Yet, even in the face of sophisticated threats, there are actions companies can take that can help mitigate risks and minimize damage:

  • Establish and drill an incident response team. Whether in-house or as a retained service, the formation of an incident response team and drilling the most relevant attack scenarios to your organization can make a big difference in attack outcomes and costs.
  • Establish and maintain offline backups. Ensure you have files safely stored from attacker accessibility with read-only access. Also consider the use of offsite/cold storage solutions. The availability of backup files is a significant differentiator for organizations that can help recover from a ransomware attack.
  • Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse. Consider blocking outbound traffic to unapproved cloud hosting services.
  • Employ user and entity behavior analytics to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.
  • Deploy multifactor authentication on all remote access points into an enterprise network — with particular care given to secure or disable remote desktop protocol (RDP) access. Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a targeted network.
  • Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching. In particular, we recommend implementing mitigations for CVE-2019-19781, which multiple threat actors have used to gain initial entry into enterprises in 2020 and 2021 — including for ransomware attacks.
  • Consider prioritizing the immediate remediation, as applicable, of the following frequently exploited software vulnerabilities:
    • CVE-2019-2725
    • CVE-2020-2021
    • CVE-2020-5902
    • CVE-2018-8453

VPN-related CVEs

  • CVE-2019-11510
  • CVE-2019-11539
  • CVE-2018-13379
  • CVE-2019-18935
  • CVE-2021-22893

RDP

  • Restrict port access on TCP port 3389
  • Apply multifactor authentication to remote access logins
  • Remediate RDP vulnerabilities such as Windows RDP CVE-2019-0708 (BlueKeep)
  • CVE-2020-3427
  • CVE-2020-0610
  • CVE-2020-0609

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. Hotline: 1-888-241-9812 | Global Hotline: +(001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.