Developing Threat Intelligence Against Egregor Ransomware

Beginning September 30th, cybersecurity teams from Ascent Solutions and Pathfynder worked to defend a client from Egregor ransomware. Egregor’s notable traits are data exfiltration prior to live and backup system encryption as well as requiring victims to contact threat actors to arrange ransom payment via the dark web. Ascent takes an intelligence-driven approach to Digital Forensics and Incident Response (DFIR) activities. However, because Egregor is so new to the threat landscape, there is little actionable intelligence available to drive that type of strategic approach to DFIR activities. Ascent’s investigation into Egregor yielded a straightforward process DFIR teams can use to develop the correct intelligence in order to take action and eradicate further ransomware threats. The response team gathered internal, counter, and external intelligence before asking the critical questions that enabled them to develop a response appropriate to the predicted risk level.

Internal Intelligence

Internal intelligence was collected from the client’s affected computers immediately after Ascent was contacted to respond to the ransomware. The team collected logs and data from the deployed antivirus solution as well as existing Windows event logs. This allowed the development of an initial intelligence hypothesis stemming from the files and executables as well as the client’s associated hashes. The intelligence was actionable at some level, as it allowed the Incident Response cycle to continue. However, it was not enough to drive all required remaining activities. Frequently, DFIR teams stop when they finish collecting internal intelligence. While arguably the most important, internal intelligence alone is insufficient in providing the full assessment needed when a new ransomware is crippling an organization.


The second type of intelligence collected was all publicly available data about Egregor. As it is a Sekhmet variant, it became comparably easy to conduct Open Source Intelligence (OSINT) about Sekhmet, and as the threat actors had provided a ransomware note with their .top and .onion domains, it allowed the team to develop an intelligence profile of the Egregor team. The counterintelligence enabled Ascent to form a hypothesis about the way in which the Egregor team operated, as all public-facing IT systems either confirmed or indicated their techniques, tactics, and procedures. Unfortunately, when taken independently, counterintelligence alone is not entirely actionable information.

External Intelligence

The last step in investigating Egregor was gathering external intelligence about the client. This practice of “turning the map around” often fills in gaps left after internal and counterintelligence efforts, aids in forming an initial hypothesis of Patient Zero, and uncovers other potential indicators of compromise. In this case, external intelligence consisted of gathering a current state cyber threat assessment against the client organization. This exercise aims to determine where the weak spots are from an attacker’s point of view, with an objective of assessing what data they might have stolen and what might have the highest value to the threat actor. Like the internal intelligence and the counterintelligence gathered previously, the low amount of data gathered externally was not actionable enough to complete DFIR activities.

Intelligence Officer Makes the Call

It was the intersection of internal intelligence, counterintelligence, and external Intelligence that allowed our skilled DFIR team to probe the model and ask informed questions regarding what was and was not known and, ultimately, fill in the valuable blanks. This level of formal intelligence assessment could then be provided to counsel, insurance, and the client to recommend a course of action based on a predicted level of risk. It also enables a far more informed conversation around mitigation, eviction, and cleanup. There is always intelligence a DFIR team can use – even when that intelligence is simply the lack of something that should be there. For the Ascent and Pathfynder teams, Intelligence-driven DFIR is more than a subtitle—it is an accelerator that allows us to uniquely engage in defense of our clients against any threat.

By Ascent Solutions