Qbot Banking Trojan Now Deploying Egregor Ransomware

Qbot, also known as Qakbot, first surfaced in 2008. The malware has been primarily deployed to steal banking data and credentials. Over the years, however, its operators have made adjustments to its source code to allow Qbot to deploy other types of malware, security researchers say (see: Qbot Banking Trojan Now Hijacks Outlook Email Threads). Previously, the operators behind Qbot distributed ransomware called ProLock. The Group-IB report notes, however, that starting in September, the cybercriminals switched to Egregor.

Egregor is the latest ransomware strain that uses a “hack-and-leak” strategy, where the cybercriminal gang threatens to leak the victims’ stolen data if the ransom demands are not met within a certain time. Other groups that are known to use this strategy are the now-defunct Maze group, which first popularized the tactic, and Sodinokibi, also known as REvil (see: Egregor Ransomware Adds to Data Leak Trend).It’s unclear why the Qbot operators switched to Egregor, but the Group-IB researchers note one possibility could be the desire to capitalize on the effectiveness of the hack-and-leak tactics. Egregor has been linked to several high-profile incidents, including attacks against Barnes & Noble, Canon USA, Crytek and Ubisoft.”In less than three months, Egregor operators have managed to successfully hit 69 companies around the world, with 32 targets in the U.S., seven victims in France and Italy each, six in Germany, and four in the U.K.,” the Group-IB report notes.”

Affiliate Model

With ransomware developers increasingly offering their malicious tools through renting or service models, criminal groups are hiring more affiliates to help distribute the malware and carry out attacks, which increases profit margins for the operators who control the larger operations (see: More Ransomware-as-a-Service Operations Seek Affiliates).

“We have seen the creation of multiple ransomware variants and data leak sites every month, and this trend is likely to continue due to the high popularity of ransomware and ransomware-as-a-service (RaaS) variants,” Ivan Righi, cyber threat intelligence analyst at security firm Digital Shadows, tells Information Security Media Group.

Because a common tactic for many ransomware groups is to target vulnerabilities in Remote Desktop Protocol connections used in Windows devices, Righi says organizations should restrict RDP access behind a gateway to help prevent attacks.

Since these groups are prolifically advertising their services and toolkits, the number of attacks is likely to surge in the coming months, says Daniel Norman, senior analyst at the London-based Information Security Forum.

“Organizations should have an incident response or crisis management plan for ransomware events, knowing who to contact and what to do,” Norman says. “This should be regularly rehearsed so that if ransomware hits, the organization can recover swiftly. Payment of a ransom is also a contentious discussion – in many cases, the ransom may be cheaper than replacing a suite of locked devices. Therefore, it becomes a cost decision. However, you can never trust that the attacker will unlock the devices, making it a gray area.”