# Crytek confirms Egregor ransomware attack, customer data theft **[bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/](https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/)** Sergiu Gatlan By [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) August 10, 2021 03:45 PM 0 Game developer and publisher Crytek has confirmed that the Egregor ransomware gang breached its network in October 2020, encrypting systems and stealing files containing customers' personal info later leaked on the gang's dark web leak site. The company acknowledged the attack in breach notification letters sent to impacted individuals earlier this month and shared by one of the victims with BleepingComputer today. "We want to inform you that Crytek was the victim of a ransomware attack by some unknown cyber-criminals," Crytek said in a letter mailed to one of their customers impacted in the incident. ----- During that attack certain data had been encrypted and stolen from our network. We took immediate action to prevent the encrypton of our systems, further secure our environment, and initiate an internal and external investigation into the incident. Crytek confirmed that Egregor operators later leaked documents stolen during the incident on their data leak site. "Based on our investigation, the information in some case included individuals' first and last name, job title, company name, email, business address, phone number and country," Crytek revealed. _Crytek ransomware letter (BleepingComputer)_ ## Data breach impact downplayed The game developer tried to reassure affected customers by saying "the website itself was difficult to identify [..], so that in our estimation, only very few people will have taken note of it." Crytek added downloading the leaked data would've also taken too long, which would have also likely represented a significant hurdle that stopped people from trying to grab it. Crytek also believes that those who attempted downloading the stolen data were discouraged by the "huge risk" of compromising their systems with malware embedded in the leaked documents. ----- While these points would make sense for individuals with little to no experience in using computers, most people who would want and know how to get their hands on this type of data would likely use downloaders and open the leaked files in a virtual machine. Furthermore, threat actors commonly download files leaked on ransomware data leaks to sell or share with other cybercriminals. Considering this, Crytek's attempts to downplay the seriousness of the data breach resulting from the October 2020 ransomware attack don't hold water. "While we are not aware of misues of any information potentially impacted, we are providing this notice as part of our precautions," Crytek added. _Crytek data leak (BleepingComputer)_ As BleepingComputer reported in October, Crytek's systems were hit by Egregor ransomware in an attack confirmed by sources familiar with the incident. While we were not told how many Crytek systems were encrypted in the attack, we were told that files were encrypted and renamed to include the '.CRYTEK' extension. The stolen data leaked by Egregor on their data leak site included: Files related to WarFace Crytek's canceled Arena of Fate MOBA game Documents with information on their network operations Other well-known companies and organizations worldwide attacked by Egregor in the past [include Barnes and Noble,](https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/) [Kmart,](https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/) [Cencosud,](https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/) [Randstad, and Vancouver's TransLink metro](https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/) system. ----- _Stolen Crytek data (BleepingComputer)_ ## Egregor affiliates arrested in Ukraine In February 2021, several members of the Egregor ransomware operation were arrested in Ukraine following a joint operation between French and Ukrainian law enforcement. Law enforcement officers made the arrests after French authorities could trace ransom payments to individuals located in Ukraine. The arrested individuals are believed to be Egregor affiliates whose job was to hack into corporate networks and deploy the ransomware. Egregor launched in September 2020, right after the Maze ransomware gang began shutting down its operation. [At the time, BleepingComputer was told by threat actors that Maze's affiliates switched to](https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/) Egregor's RaaS, allowing the new RaaS to launch with experienced and skilled hackers. Egregor operates as a ransomware-as-a-service (RaaS) where the ransomware developers partner with affiliates who conduct the attacks, splitting the ransom payments. As part of this arrangement, the core team earns between 20-30% of all paid ransoms, while affiliates pocketed the other 70-80%. ----- [Cybersecurity firm Kivu said in a February report that Egregor has 10-12 core members and](https://kivuconsulting.com/download/successful-ransomware-is-organized-crime-2/) 20-25 semi-exclusively vetted members, and it amassed over 200 victims since its September launch. _A Crytek spokesperson was not available for comment when contacted by_ _BleepingComputer earlier today or after our initial report from October 2020._ ### Related Articles: [Ransomware attack exposes data of 500,000 Chicago students](https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/) [Snap-on discloses data breach claimed by Conti ransomware gang](https://www.bleepingcomputer.com/news/security/snap-on-discloses-data-breach-claimed-by-conti-ransomware-gang/) [Shutterfly discloses data breach after Conti ransomware attack](https://www.bleepingcomputer.com/news/security/shutterfly-discloses-data-breach-after-conti-ransomware-attack/) [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Crytek](https://www.bleepingcomputer.com/tag/crytek/) [Data Breach](https://www.bleepingcomputer.com/tag/data-breach/) [Egregor](https://www.bleepingcomputer.com/tag/egregor/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) Sergiu Gatlan is a reporter who covered cybersecurity, technology, Apple, Google, and a few other topics at Softpedia for more than a decade. Email or Twitter DMs for tips. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/windows-security-update-blocks-petitpotam-ntlm-relay-attacks/) [Next Article](https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-preauth-vulnerabilities-in-magento/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----