Egregor Ransomware Hits Randstad, Kmart, and Vancouver's Metro Transit System
Table of Contents
- By Dawna M. Roberts
- Published: Dec 08, 2020
- Last Updated: Mar 18, 2022
Egregor ransomware is making headlines again, this time attacking Randstad, retail giant Kmart, and Vancouver's metro transit system. Where will it all end?
What is Egregor Ransomware
Egregor is the name given to a very sophisticated piece of malware that hackers are using for ransomware. It was first discovered in September 2020 and is quickly becoming the largest threat to cybersecurity around the world.
In November, Egregor was used in attacks on gaming companies Ubisoft and Crytek and was responsible for an attack on Barnes and Noble.
The cyber thieves who use Egregor use extortion along with ransomware attack for their operations. The complex piece of software first exfiltrates all the data from the server or victim's hard drive then encrypts it so the owner cannot access it. After that, a ransom note is displayed as the thief waits for payment. In an aggressive move, hackers give the victim only 72 hours to comply before their information is released to the public via their leak website.
The hackers use a chat tool to negotiate and arrange payment with the corporate victims. Experts theorize that they target companies with deep pockets to achieve a better return on their attack. Other ransomware targets individuals and smaller victims.
What Happened?
As reported by BleepingComputer last week, global staffing giant Randstad was attacked by Egregor. They reported that their systems had been breached and unencrypted data was stolen. Bleeping Computer said, "This leaked data is a 32.7MB archive containing 184 files, including accounting spreadsheets, financial reports, legal documents, and other miscellaneous business documents."
They are currently researching whether or not clients or employees' personal details were impacted or if the data was merely corporate-related. Randstad commented, "To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France. They have now published what is claimed to be a subset of that data. The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties."
In another article, the BleepingComputer reported that the Vancouver metro transit system was also hacked and affected by Egregor ransomware on December 1st. The issue caused disruption with payment systems and other services. In a notice to the public, the transit system announced, "We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure. This attack includes communications to TransLink through a printed message."
On the heels of these two attacks, Threatpost reported that struggling retail company Kmart was also the victim of an Egregor ransomware attack. Transformco purchased Kmart in 2019, and the new owners and their holding company is being held hostage for ransom. The leaked ransom note says that they have compromised Kmart's Windows domain and compromised servers that impact services. The holidays are upon us, which is the worst possible time for this type of incident, especially for a company already struggling to stay afloat in a tenuous economy.
There aren't a lot of other details to go on, but the stores are back in full operation now. Colin Bastable of Lucy Security commented that "Kmart can expect data to appear in public shortly." His additional comments were, "There is never a good time for a ransomware attack, but the run up to the Christmas shopping period is a bad time for Kmart to be hit. My advice to CISOs: add 'PS. Please give me some cybersecurity awareness training budget' to your Dear Santa letter, and hope that he comes early this year."
Steps to Keep Your Company Safe from Ransomware
Corporate cybersecurity, as businesses are starting to realize, must be priority number one. Some tips from the cybersecurity experts include:
- Maintain good backups (offsite).
- Encrypt all data so that it cannot be read without an encryption key.
- Avoid clear-text data storage.
- Hire cybersecurity experts to perform a full vulnerability audit and plug the holes.
- Properly secure online data storage with trusted partners that offer layers of security and encryption.
- Tokenize data for extra security.
- Limit access to only specific employees
- Invest in cybersecurity training for all staff members.
- Watch out for phishing emails and other fraudulent campaigns.
- Monitor all systems 24/7 with extensive security software and a human component to look for suspicious activity.
Remember, your network is only as secure as your weakest link. If even one employee clicks a link in a phishing email, it could lead to the total destruction of your entire corporate network.
