Egregor ransomware plagues the network printer with ransom demands

The Egregor ransomware uses a classic approach to get a victim’s attention after a successful ransomware attack. Blast print massive amounts of notes to all available printers on the network. Got your attention now?

The Egregor ransomware uses a classic approach to get a victim’s attention after a successful ransomware attack. Blast print massive amounts of notes to all available printers on the network. Got your attention now?

Ransomware crews know that businesses would rather hide a ransomware attack than make it public with something like an official breach notice. There are many reasons why a company would hide a data breach or a cyber attack, but one of the common reasons is due to stock prices decreasing.

Attackers have evolved and have begun making ransomware attacks public, against a victims’ will. To increase public awareness of the attack and pressure a victim into paying, the Egregor operation is known to repeatedly print ransom notes from all available network and local printers after an attack.

What is Egregor?

What is known about Egregor, is it uses AES+RSA encryption technology to encrypt files on a victim’s network(s) or system(s). No attribution has been assigned to an attacker, crew, or nation state as of yet.

Once Egregor ransomware file is executed on the computer, the virus starts to search for target files and encrypts them with sophisticated method. Then, Egregor will drop a ransom note titled RECOVER-FILES.txt that contains detailed explanation of the attack and methods to recover the files. Here is an excerpt of the ransom note:

The Ransom Note

    What happened?
    Your network was ATTACKED, your computers and servers were LOCKED,
    Your private data was DOWNLOADED.

    What does it mean?
    It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM.

    How it can be avoided?
    In order to avoid this,
    To avoid this issue you are to COME IN TOUCH WITH US no later than within 3 DAYS and conclude the data recovery and breach fixing AGREEMENT.

    What if I do not contact you in 3 days?
    If you do not contact us in the next 3 DAYS we will begin DATA publication.
    ——————————-
    That is not the threat, but the algorithm of our actions.
    If you have hundreds of millions of UNWANTED dollars, there is nothing to FEAR for you.
    That is the EXACT AMOUNT of money you will spend for recovery and payouts because of PUBLICATION.

    What will I get in case of agreement?
    You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data,
    confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter.
    And the FULL CONFIDENTIALITY ABOUT INCIDENT.

    Do not redact this special technical block, we need this to authorize you.
    — EGREGOR —

Recovery

To be able to recover encrypted files, Egregor ransomware prompts victim to open their website and submit the specific Egregor ransomware containing victim’s unique identifier. Below is the screenshot of the Egregor ransomware website.

Egregor ransomware instructional prompt

Technical Details

Threat NameEgregor Ransomware
Threat TypeCrypto-virus, File Locker, Encryption Virus
Discovered by@Amigo-A
Ransomware Note FileRECOVER-FILES.txt
AttributionNone yet

Author profile
Cybersecurity Engineer | Website

Jordan is a Cybersecurity Engineer who has consulted in numerous sectors such as finance, education, manufacturing, and public sector organizations within the United States.