Evidence of Egregor ransomware; FBI issues warning alert!

Egregor ransomware

The Federal Bureau of Investigation has sent warning notes to every private sector companies to be cautious about the Egregor ransomware attack. The first variant of this ransomware was reported in September 2020. It was used to attack 150 companies worldwide.

 Egregor is a service offering ransomware having many affiliates. Most of the affiliates were transferred to Egregor distribution but during the late 2020, the maze ransomware was shut down. Out of the ransom payment, the affiliates receive 70% of the shares. The remaining 30% is collected by the Egregor gang. Prior to file encryption, this ransomware supports data exfiltration that is considered as an extra incentive.

According to different affiliates, the procedures and tactics vary. The major vulnerabilities among Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) are utilized to send phishing emails and malicious attachments along with gaining access to the networks.

Once a system is successfully infected, the hackers use variety of tools such as Qakbot, Cobalt Strike, AdFind and advanced IP scanner to enhance the lateral movement. The data exfiltration method may differ but the commonly used ones are 7zip and Rclone which are often camouflaged as Service Host Processes (svchost).

After successfully exfiltrating the data from the system, the malware begins the encryption process.

Egregor ransomware were widely used in different range of companies including established enterprises, some of which include the game developer company Ubisoft, Barnes & Noble, Kmart and Translink, which is one of the major transportation agencies in Vancouver.

The FBI advices organizations not to pay ransom if they are infected since there are no guarantee that they will return the data.  There are instances where the attackers permanently deleted the data even after the ransom was paid. FBI mentions that paying ransom would only encourage the hackers to do further attacks.

The FBI has disclosed several methods to prevent and withstand the Egregor ransomware and is trying to find out whether any recovery is possible without paying the ransom.

In order to guarantee the recovery of the stolen data, the government requests organizations to practice regular backup of certain data, promote cloud storage or to store data in an external hard drive. Backups should not be made accessible from the system where the data lies.

What is Egregor?

Egregor is one of the cyber-criminal groups the focuses and performs attack based on a unique branch of ransomware.

Egregor is derived from a western magic, which refers to the collection energy of a group of people that are teamed up for a common purpose.

It is believed that the operators of the Maze, a notorious cybercriminal group has formed Egregor after their shutting down in Oct 2020.

The attacks by maze ransomware were expanding throughout the world after which Egregor took its place.

Egregor started their attack in the Barnes & Noble and the famous video game developers Crytek & Ubisoft in October 2020. They completely gained the access of their finance and audit information. But the Barnes & Noble admitted to their customers that none of their private information was stolen and they are safe.

When it comes to Ubisoft & Crytek, they hijacked the exfiltration source codes of upcoming projects including Watch dogs: Legion and Arena of Fate.

The criminal group once published these stolen data in Dark Web, but the authenticity of the source code was uncertain.


Unlike other ransomwares, the Egregor infects a victim using a loader. The loader along with the ransomware complicates the source code to remove static analysis and the possibility of decryption.

After the breach, th Egregor changes the Firewall settings and enables the Remote Desktop Protocol (RDP). The software then spreads throughout the network disabling all the anti-virus softwares.

When all this is done, the Egregor inserts a ransomware, named “RECOVER-FILES.txt” into all the compromised folders.

Threat mitigation

  • Monitor the systems for Ursnif, Qakbot and keID malwares.
  • Educate the staffs about phishing attacks.
  • Set strong anti-virus software to block all decoders.
  • Check for the vulnerabilities in the system and patch them immediately.
  • Establish zone protection policies.
  • Traffic which contains “Service setting of ANY” in the security policies should be removed.


  1. Your article made me suddenly realize that I am writing a thesis on gate.io. After reading your article, I have a different way of thinking, thank you. However, I still have some doubts, can you help me? Thanks.

  2. Your article made me suddenly realize that I am writing a thesis on gate.io. After reading your article, I have a different way of thinking, thank you. However, I still have some doubts, can you help me? Thanks.

  3. Pingback: cc shop

Leave a comment

Your email address will not be published. Required fields are marked *