chalabala - Fotolia

Egregor ransomware associates arrested amid disruption

Undisclosed number of arrests made in Ukraine after investigators tracked bitcoin ransom payments

A number of affiliates and supporters of the Egregor ransomware cyber crime gang were arrested last week in a joint French-Ukrainian law enforcement sting, according to radio station France Inter, which first broke the story.

At the same time, much of the ransomware’s infrastructure also appears to have been taken offline, possibly as a result of hosting difficulties, according to our sister title LeMagIT.

The arrests come at the end of a joint probe beginning in the autumn of 2020, undertaken by France’s Central Directorate of the Judicial Police and Ukrainian law enforcement, with support from Europol.

The investigators were apparently able to trace the ransoms, which were paid in bitcoin, back to suspects in Ukraine who were engaged in providing hacking, logistical and financial support to Egregor.

Emsisoft’s Brett Callow said Egregor has indeed been less active in recent weeks, stemming from issues with its infrastructure, but cautioned that it was impossible to say whether or not this disruption relates to the joint law enforcement action.

“Generally speaking, it’s great to see law enforcement finally having some success,” he said. “Ransomware groups have operated with almost complete impunity, which means that, until now, there has been little deterrent.

“After NetWalker’s operation was disrupted, another group got cold feet, ceased operations and handed us their keys. Let’s hope that happens after every bust.” 

Among a number of gangs notable for their use of the now notorious double extortion tactic, Egregor sprang up in late 2020 amid speculation of a link to Maze, which wrapped up its operations at about the same time. It operates as a ransomware-as-a-service (RaaS), hawking its wares to affiliates in exchange for a cut of their take, generally about 30% of the total.

It has amassed a string of victims around the world, over 150 at least, according to the FBI, among them the likes of US bookseller Barnes & Noble, financial services firm Randstad, and French videogame studio Ubisoft. It is also suspected of being behind the leak of data stolen in an attack on estate agent Foxtons.

Read more about ransomware

  • The former head of the NCSC recently called for a dialogue over whether or not it is time to ban insurers from covering ransomware payments. Is he on the right track?
  • Enterprises must shore up their ransomware prevention efforts by strengthening security awareness, adding email controls, and developing and testing incident response plans.
  • Ransomware attack simulations, accessing enterprise logs and pen testing software code are among the best practices cyber security pros suggest following the SolarWinds breach.

Various methods are used to distribute Egregor with victim environments compromised through several possible vectors, such as phishing or remote desktop protocol (RDP) exploitation, as well as via Qakbot, an evolved banking trojan in the same vein as Emotet. According to some analysts, there are also reports of exploitation of a known remote code execution (RCE) flaw in Microsoft Exchange, as well as some long-disclosed vulnerabilities in Adobe Flash.

As with many ransomwares, Egregor does not execute if it finds its target system’s default language ID to be Russian, Ukrainian, or several other languages from former Soviet states.

Once their data is compromised, victims are typically told they have three days to get in touch with the gang, at which point they will begin to publish exfiltrated data. Egregor ransom notes typically also make a point of threatening their victims with public embarrassment in front of the clients, partners and the media.

Like some other ransomware gangs – notably Maze – Egregor’s operators seem to believe they are running a kind of penetration testing service, a malevolent version of the sort of service a business might buy from a legitimate cyber security company, and offer those who pay the ransom advice on their organisational security.

Recorded Future’s Allan Liska said the current disruption suggested that, in some ways, Egregor has become a victim of its own success.

“After splitting off from Maze, Egregor partnered with the Qakbot malware for distribution, which appeared to lead to great success in getting new victims,” he said. “Because of the way their RaaS model worked, this success resulted in a backlog of victims waiting to negotiate their ransom – meaning victims were sometimes waiting weeks or even a month before they were even able to pay the ransom.

“The frustration of victims and their RaaS affiliates appears to have resulted in many affiliates switching to different RaaS strains, resulting in fewer infections. So, even before the law enforcement action, successful Egregor attacks were on the wane, with no apparent path to increasing attacks.”

Next Steps

Rise in ransom payments may fuel more dangerous attacks

Read more on Hackers and cybercrime prevention