{
	"id": "9d07c83d-318d-4e27-b90f-5469693fab73",
	"created_at": "2026-04-06T00:10:44.883392Z",
	"updated_at": "2026-04-10T13:11:29.107454Z",
	"deleted_at": null,
	"sha1_hash": "a75430123462754686d9f282510d5567a432cb3f",
	"title": "Crytek confirms Egregor ransomware attack, customer data theft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5148002,
	"plain_text": "Crytek confirms Egregor ransomware attack, customer data theft\r\nBy Sergiu Gatlan\r\nPublished: 2021-08-10 · Archived: 2026-04-05 15:09:13 UTC\r\nGame developer and publisher Crytek has confirmed that the Egregor ransomware gang breached its network in October\r\n2020, encrypting systems and stealing files containing customers' personal info later leaked on the gang's dark web leak site.\r\nThe company acknowledged the attack in breach notification letters sent to impacted individuals earlier this month and\r\nshared by one of the victims with BleepingComputer today.\r\n\"We want to inform you that Crytek was the victim of a ransomware attack by some unknown cyber-criminals,\" Crytek said\r\nin a letter mailed to one of their customers impacted in the incident.\r\nhttps://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"During that attack certain data had been encrypted and stolen from our network. We took immediate action to prevent the\r\nencrypton of our systems, further secure our environment, and initiate an internal and external investigation into the\r\nincident.\r\nCrytek confirmed that Egregor operators later leaked documents stolen during the incident on their data leak site.\r\n\"Based on our investigation, the information in some case included individuals' first and last name, job title, company name,\r\nemail, business address, phone number and country,\" Crytek revealed.\r\nCrytek ransomware letter (BleepingComputer)\r\nData breach impact downplayed\r\nThe game developer tried to reassure affected customers by saying \"the website itself was difficult to identify [..], so that in\r\nour estimation, only very few people will have taken note of it.\"\r\nCrytek added downloading the leaked data would've also taken too long, which would have also likely represented a\r\nsignificant hurdle that stopped people from trying to grab it.\r\nCrytek also believes that those who attempted downloading the stolen data were discouraged by the \"huge risk\" of\r\ncompromising their systems with malware embedded in the leaked documents.\r\nWhile these points would make sense for individuals with little to no experience in using computers, most people who\r\nwould want and know how to get their hands on this type of data would likely use downloaders and open the leaked files in\r\na virtual machine.\r\nFurthermore, threat actors commonly download files leaked on ransomware data leaks to sell or share with other\r\ncybercriminals.\r\nConsidering this, Crytek's attempts to downplay the seriousness of the data breach resulting from the October 2020\r\nransomware attack don't hold water.\r\n\"While we are not aware of misues of any information potentially impacted, we are providing this notice as part of our\r\nprecautions,\" Crytek added.\r\nhttps://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/\r\nPage 3 of 5\n\nCrytek data leak (BleepingComputer)\r\nAs BleepingComputer reported in October, Crytek's systems were hit by Egregor ransomware in an attack confirmed by\r\nsources familiar with the incident.\r\nWhile we were not told how many Crytek systems were encrypted in the attack, we were told that files were encrypted and\r\nrenamed to include the '.CRYTEK' extension.\r\nThe stolen data leaked by Egregor on their data leak site included:\r\nFiles related to WarFace\r\nCrytek's canceled Arena of Fate MOBA game\r\nDocuments with information on their network operations\r\nOther well-known companies and organizations worldwide attacked by Egregor in the past include Barnes and Noble,\r\nKmart, Cencosud, Randstad, and Vancouver's TransLink metro system.\r\nStolen Crytek data (BleepingComputer)\r\nEgregor affiliates arrested in Ukraine\r\nIn February 2021, several members of the Egregor ransomware operation were arrested in Ukraine following a joint\r\noperation between French and Ukrainian law enforcement.\r\nLaw enforcement officers made the arrests after French authorities could trace ransom payments to individuals located in\r\nUkraine.\r\nhttps://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/\r\nPage 4 of 5\n\nThe arrested individuals are believed to be Egregor affiliates whose job was to hack into corporate networks and deploy the\r\nransomware.\r\nEgregor launched in September 2020, right after the Maze ransomware gang began shutting down its operation. \r\nAt the time, BleepingComputer was told by threat actors that Maze's affiliates switched to Egregor's RaaS, allowing the new\r\nRaaS to launch with experienced and skilled hackers.\r\nEgregor operates as a ransomware-as-a-service (RaaS) where the ransomware developers partner with affiliates who conduct\r\nthe attacks, splitting the ransom payments.\r\nAs part of this arrangement, the core team earns between 20-30% of all paid ransoms, while affiliates pocketed the other 70-\r\n80%.\r\nCybersecurity firm Kivu said in a February report that Egregor has 10-12 core members and 20-25 semi-exclusively vetted\r\nmembers, and it amassed over 200 victims since its September launch.\r\nA Crytek spokesperson was not available for comment when contacted by BleepingComputer earlier today or after our\r\ninitial report from October 2020.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/\r\nhttps://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/"
	],
	"report_names": [
		"crytek-confirms-egregor-ransomware-attack-customer-data-theft"
	],
	"threat_actors": [],
	"ts_created_at": 1775434244,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a75430123462754686d9f282510d5567a432cb3f.pdf",
		"text": "https://archive.orkl.eu/a75430123462754686d9f282510d5567a432cb3f.txt",
		"img": "https://archive.orkl.eu/a75430123462754686d9f282510d5567a432cb3f.jpg"
	}
}