Egregor ransomware takes a hit after arrests in Ukraine

A cybercriminal group associated with the Egregor ransomware was dismantled in Ukraine following a joint action by US, French and Ukrainian authorities. The website used by the Egregor group to post information about victims in an attempt to coerce them has been shut down and the command-and-control server has also been disrupted.

Egregor is a ransomware program that appeared in September 2020 and saw rapid growth after the retirement of Maze, another prominent ransomware group. Both Maze and Egregor use a ransomware-as-a-service model that relies on other cybercriminals called affiliates breaking into corporate networks and distributing the ransomware for a cut of the ransoms.

Both Maze and Egregor also use a double extortion technique, where in addition to encrypting files, the attackers steal data from victims and threaten to release it if the ransom is not paid. The victims are listed and publicly shamed on an extortion website maintained by the group.

After the creators of Maze announced that they’re shutting down the project, most of their affiliates immediately moved to Egregor, leading security researchers to believe that at least part of the Maze team was involved in the creation of Egregor, potentially in collaboration with the creators of an older ransomware program called Sekhmet that shares a lot of code similarities with Egregor and is likely its predecessor. The FBI issued a private industry alert in January about Egregor..

Last week, the extortion website used by ransomware group went offline, as well as its command-and-control infrastructure. French public radio station France Inter reported on February 12 that several Egregor-related arrests were made in Ukraine following a joint investigation between Ukrainian and French authorities who got involved after Egregor was used against French companies including game studio Ubisoft and logistics firm Gefco.

These reports were not confirmed officially until Wednesday, February 17, when the Security Service of Ukraine (SSU) announced the arrest of a group that was using Egregor including its suspected organizer. While it’s not clear if this was an affiliate group or the development team behind Egregor, it seems the arrests did have a serious impact on the ransomware’s operations, suggesting the group played a significant role. This is confirmed by other private reports.

“On Feb. 9, 2021, Ukrainian law enforcement conducted a joint operation with US and French authorities against several Ukrainian nationals believed to be deeply involved with Egregor ransomware operations,” cybersecurity firm Intel 471 said Wednesday in a blog post. “Intel 471 has learned that authorities targeted the purported ring leaders, as well as associates who helped run the related affiliate programs.”

The SSU seized information about the compromised networks and other evidence and advised law enforcement agencies from around the world with information about victims to contact the service. It estimates that Egregor impacted over 150 companies in Europe and the United States, leading to losses of over $80 million.