New details have emerged about the cyberattack against Barnes & Noble since we last wrote about it on October 16th. After publishing their report last Wednesday, Bleepingcomputer was contacted by a threat actor claiming that the Egregor ransomware group was behind the attack. Bleepingcomputer goes on to state “After the hacker gained access to a Windows domain administrator account, another threat actor was given access to the network on October 10th, 2020, who then encrypted the network’s devices.”
Egregor is a new ransomware that began operating in mid-September this year, claiming other high-profile victims such as Crytek and Ubisoft. Yesterday, the group uploaded two Windows registry hives that may have been dumped from Barnes & Noble’s Windows servers. This was an interesting choice given that most ransom groups tend to upload small amounts of files relating to the organization and their operations.
Not much is known yet about the initial breach of Barnes & Noble’s network, though it appears that the Egregor group was only responsible for the attack that followed. With the group just becoming active in September, they may be buying access to compromised networks in order to save time and effort. Binary Defense highly recommends keeping up with all the latest security updates that have been released recently and creating a regularly followed patch schedule. Exploits like Zerologon (CVE-2020-1472) can dramatically decrease the amount of time between initial breach and full domain compromise.