Egregor Ransomware: Origins, Operating Mode, Recent Incidents



A new year brings about countless new opportunities, but also, unfortunately, the chance for previous menaces to grow and evolve. Such is the case with Egregor ransomware. Since anticipation and prevention are more than welcome, let’s find out more about it and what you can do to combat it in order to keep your business safe. 

Egregor Ransomware – Origins 

Egregor ransomware is linked to the now-retired Maze ransomware and to the Sekhmet ransomware family

As you probably heard, Maze ransomware was particularly dangerous because it not only used to steal data and encrypt it like any other ransomware, but its operators also threatened to expose this data if they didn’t receive the ransom, which transformed the attack in a data breach as well. 

The website on which the Maze ransomware operators published the information about their victims included details about the date when they were targeted, links for downloading the stolen data and even social media buttons for the users to spread the word. 

As Bleeping Computer writes, Maze affiliates moved to Egregor ransomware

BleepingComputer has learned that many Maze affiliates have switched over to a new ransomware operation called Egregor. Egregor began operating in the middle of September, just as Maze started shutting down their encryption operation. […] Egregor is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code. This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software. Ransomware expert Michael Gillespie, who analyzed both Egregor and Sekhmet, also found that Egregor victims who paid a ransom were sent decryptors that were titled ‘Sekhmet Decryptor.’

egregor ransomware - decryptor

Egregor Decryptor 

The first mention of Egregor Ransomware on a forum happened on the 18th of September 2020. As Security Boulevard notes, The name of the new ransomware strain, Egregor, is derived from Western Occult traditions and is seen as the collective energy of a group of people, especially when aligned to a common goal. The name is appropriate on some level, as ransomware gangs tend to be aligned for the purpose of extorting funds from victims.” 

ZDNet writes “Egregor has also been associated with the Ransomware-as-a-Service (RaaS) model, in which customers can subscribe for access to the malware.”  (Ransomware-as-a-Service is a model that allows any novice cybercriminal to launch ransomware attacks by becoming an affiliate of a RaaS package or service.)

However, researchers don’t know much about it yet, since the ransomware protects itself with various anti-analysis techniques, like payload encryption and code obfuscation, but one thing is clear: Egregor ransomware operators, just like in the case of Maze ransomware, threaten to release the stolen data if the ransom is not paid (within the mythical three days). 

egregor ransomware - ransomware as a service workflow

Ransomware-as-a-Service Workflow 

Egregor Ransomware – Operating Mode 

Egregor Ransomware seems to target, demographically speaking, the same victims as Sekhmet and Maze. 

egregor ransomware - demographic status


The attack consists of breaching sensitive data, encrypting it so that the victims may not access them, and then publishing a part of that data on the dark web, as proof of the attack. The victims then receive a note in which they are told to pay the ransom in 3 days to avoid their data being published on the criminals’ network. If the criminals receive their money in the appointed time, the victims’ data gets fully decrypted. 

egregor ransomware - ransom note


Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders. 

Afterwards, the victims are told to download a dark web browser to communicate with the cybercriminals with the help of a dedicated landing page. 

egregor ransomware - landing page

Egregor Ransomware landing page 

Egregor Ransomware – Recent Incidents 

Since September 2020, Egregor Ransomware has had an impressive number of victims. We’ll mention just a few: 

Retail Giant Cencosud 

Cencosud, a Chilean-based multinational retail company, was hit by Egregor Ransomware in November 2020. The attack impacted the services in their stores. With over 140,000 workers and $15 billion in sales for 2019 and stores like Easy home goods, Jumbo supermarkets and Paris department stores, Cencosud is one of the biggest retail businesses in Latin America.

A good example of how Egregor ransomware affected Cencosud is what happened at an Easy store in Buenos Aires, where there was displayed a sign warning customers that because of technical issued, they do not accept the ‘Cencosud Card’ credit card, accept returns, or allow the pickup of web purchases.

Department Store Chain Kmart

Retail stalwart Kmart suffered a ransomware attack at the hands of the Egregor gang around the holidays of December 2020.

According to BleepingComputer, Egregor Ransomware has encrypted computers and servers linked to the company’s networks, taking out back-end services. The outlet received the alleged ransom note from the threat actors claiming to have breached the Windows domain of Kmart.

In 2019, the company was bought by Transformco, which was also apparently affected. The internally used website was offline – workers confirmed that this happened due to the ransomware attack.

Randstad HR Firm 

The Amsterdam-based company announced at the beginning of December 2020 that they were targeted by Egregor ransomware. As BleepingComputer says, “Randstad is the world’s largest staffing agency with offices in 38 markets and the owner of the well-known employment website Randstad employs over 38,000 people and generated €23.7 billion in revenue for 2019.” 

A 32.7MB archive with 184 files which included “accounting spreadsheets, financial reports, legal documents, and other miscellaneous business documents” got published by Egregor – they claimed that this represented only 1% of the exfiltrated data. 

Egregor Ransomware – Prevention Strategies

The activities of the people behind Egregor ransomware have got the attention of the FBI: “All private sector organizations are being urged to be on the alert for potential malicious activities from the threat actors behind Egregor ransomware. The FBI alert warns the hacking group is actively targeting and exploiting a range of global businesses. […] The new FBI alert warns that Egregor has already claimed 150 victims worldwide since the group emerged in September.”

They have also stated again that “paying the ransom is not ideal or recommended as it further emboldens hackers to continue these targeted efforts. Victims should instead contact the FBI, which can assist in the prevention of further attacks.” 

Remember, however, that there are always a few aspects you can pay attention to if your goal is avoiding to become a victim of ransomware attacks in the first place. 

Educate your employees 

All your employees should know about the dangers of phishing, which are a common vector for injecting ransomware. By definition, phishing is “a malicious technique used by cybercriminals to gather sensitive information (credit card data, usernames and passwords, etc.) from users. The attackers pretend to be a trustworthy entity to bait the victims into trusting them and revealing their confidential data. The data gathered through phishing can be used for financial theft, identity theft, to gain unauthorized access to the victim’s accounts or to accounts they have access to, to blackmail the victim and more.”

Email Security 

Speaking of phishing, email security is one way of avoiding it. We propose you to try our Heimdal™ Email Security, a revolutionary spam filter and malware protection system which packs more email security vectors than any other solution you can find.  Heimdal™ Email Security will help you detect malware, stop spam, malicious URLs and phishing with simple integration and highly customizable control.

Heimdal Official Logo


Email communications are the first entry point into an organization’s systems.


is the next-level mail protection system which secures all your
incoming and outgoing comunications

  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters which protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise (BEC);

Offer valid only for companies.

Make sure you have backups 

Having backups (and even backups to backups, if possible) of your data is crucial for any company – and for every person. Anything can happen to anyone at any time, literally. As Health IT Security writes, “Backups should be secured, and administrators should ensure data is not accessible for modification or deletion from the system where the data resides.”

Install and update antimalware and antivirus software 

A good antivirus solution can save you from many problems. Our Heimdal™ Next-gen Endpoint Antivirus uses signature-based code scanning to monitor the activity of your company’s files in order to protect your endpoints against malware, ransomware, APTs and various other threats. 

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach

to organizational defense.

  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;

Secure your endpoints with multi-factor authentication 

Multi-factor authentication, “sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.” 

multi-factor authentication model

Multi-factor authentication 

Egregor Ransomware – Wrapping Up

Just like its predecessor, Maze ransomware, it would appear that Egregor ransomware is here to stay – at least for a while, if we look at their “family”.  Keep in mind that, if you ever become a ransomware attack victim, paying the ransom will only encourage cybercriminals, it will not help you. The best thing you can do for your company is to use prevention as a weapon. 

Please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!


Source link