{
	"id": "9d7a3d61-2aa5-4718-9372-37faa02c492f",
	"created_at": "2026-04-06T00:18:01.521143Z",
	"updated_at": "2026-04-10T03:22:39.459981Z",
	"deleted_at": null,
	"sha1_hash": "b36eef5d7f7b4ed6fccb282f8bcc2dcd062ef074",
	"title": "Cybereason vs. Egregor Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1738117,
	"plain_text": "Cybereason vs. Egregor Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 22:26:19 UTC\r\nResearch by: Lior Rochberger\r\nEgregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been\r\nidentified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and\r\nUbisoft. \r\nSimilar to the Maze ransomware, Egregor’s operators run an extortion ransomware operation, where the data is stolen\r\nand stored on the attacker’s servers before it is encrypted on the users machine. Egregor is probably the most aggressive\r\nransomware family in terms of negotiation with the victims. Its operators give only 72 hours to contact them. If the\r\nransom is not paid, the data is released to the public via the attacker’s website, “Egregor News.”\r\nCybereason Blocks Egregor Ransomware\r\nThe ransomware payment is negotiated and agreed upon via a special chat function assigned to each victim. The\r\npayment is received in bitcoin:\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 1 of 14\n\nEgregor News website - published data\r\nEgregor is believed to be a relative of another ransomware called Sekhmet that emerged in March, 2020, which shares a\r\nlot of similarities with Egregor and also some similarities with Maze.\r\nEgregor is still quite a mystery when it comes to how it is delivered in the attack and who is behind the campaign. Not\r\nmuch is known at this point, but speculation includes theories that Egregor is the “heir to Maze,” after that threat actor\r\nannounced they were shutting down their operations in late October. This assumption is supported by the close\r\nsimilarities between the two - and of course the timing.\r\nKey Findings\r\n• Emerging Threat: In a short amount of time, Egregor ransomware caused a great damage and made headlines across\r\nthe world.\r\n• High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of\r\nthe attacks.\r\n• Low-and-Slow: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally\r\nthroughout the organization, carrying out a fully-fledged hacking operation.\r\n• Infection Vector via Commodity Malware: The infection seems to start with commodity malware. Based on a\r\npreliminary reconnaissance of data sent to the C2 servers, the operators can choose to escalate to an interactive hacking\r\noperation, which ultimately causes a mass ransomware infection.\r\n• Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the Egregor ransomware.\r\nBreaking Down the Attack\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 2 of 14\n\nEgregor infection chain\r\nFrom Commodity Malware Infection to Ransomware\r\nSince Egregor is a relatively new player in the game, not many incidents involving it are covered and detailed here,\r\nincluding information about the infection chain. The information available so far suggests that the initial infection starts\r\nwith a phishing email that contains a malicious macro embedded in an attached document. \r\nThe macro code downloads a commodity malware, either Qbot icedID or Ursnif, which provides capabilities for stealing\r\nsensitive information that will later be used for lateral movement. This technique, which involves using a commodity\r\nmalware as initial infection and to eventually deliver ransomware, was observed before with Ryuk ransomware and\r\nMaze.\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 3 of 14\n\nLater in the attack, a CobaltStrike beacon is installed on the infected machine and the attack shifts to an interactive\r\nhacking operation. The attacker uses tools for reconnaissance such as Adfind and Sharphound to gather information\r\nabout users, groups, computers and so on. This information will assist in the lateral movement phase and also in\r\nperforming privilege escalation, as Egregor compromises Active Directory in order to become domain admin.\r\nIn this stage, after the malware settles on the victim’s machine, it starts communications to the C2 in order to download\r\nadditional components including scripts, DLLs and other files that will be used eventually to exfiltrate data and encrypt\r\nfiles.\r\nAmong the dropped files observed:\r\nA batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload.\r\nA Zip file contains a binary file that is an RClone client, renamed svchost, and RClone config files (webdav, ftp\r\nand dropbox) used later for exfiltration.\r\nVT screenshot of the RClone executable and configuration file\r\nCobaltStrike creates a service that runs an encoded PowerShell command that executes shellcode that creates connection\r\nto amajai-technologies[.]industries:\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 4 of 14\n\nDecryption of the Shellcode\r\nAfter dropping the files needed for the attack, the attackers “prepare the ground” and undertake a final procedure meant\r\nto avoid detection and prevention. The attacker creates a Group Policy Object (GPO) to disable Windows Defender and\r\ntries to take down any anti-virus products.\r\nEgregor Execution\r\nAs described above, the operators of Egregor deploy the ransomware payload after collecting the sensitive information\r\nand setting the GPO to evade detection and prevention. To deploy the ransomware, they execute the dropped batch file\r\nthat, as mentioned, is used to download and execute the ransomware payload from a remote server:\r\nThe content of the batch file\r\nThe Egregor payload can only be decrypted if the correct key is provided via command line argument to the Rundll32\r\nprocess, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command\r\nline that the attackers used to run the ransomware isn’t provided. \r\nIn order to execute the ransomware and decrypt the blob of code inside of it, the operators provide the batch file with the\r\nkey “-passegregor10” which resolves in the ransomware running and encrypting files:\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 5 of 14\n\nBatch file execution as shown in the Cybereason Defense Platform\r\nThe encrypted file names are appended with a string of random characters as the new extension. For example, it renames\r\na file named “My_files.zip” to “My_files.zip.IAsnM”, “My_files2.zip” to “My_files2.zip.WZlF” and so on. Also, the\r\nthreat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in\r\nthe figure below: \r\nEncrypted files\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 6 of 14\n\nA message shown the the user\r\nConnection to Sekhmet and Maze\r\nEgregor shares code similarities with Sekhmet ransomware, as well as the notorious Maze ransomware. Besides code\r\nsimilarities, the tree ransomware has a lot in common, including behaviour and characteristics:\r\n  Maze Sekhmet Egregor\r\nFirst seen May 2019 March 2020 July 2020\r\nFile type DLL/EXE DLL DLL\r\nEncrypted Files\r\nExtension\r\nFiles are appended with\r\nrandom extensions,\r\nconsisting of random\r\ncharacters\r\nFiles are appended with\r\nrandom extensions,\r\nconsisting of random\r\ncharacters\r\nFiles are appended with\r\nrandom extensions,\r\nconsisting of random\r\ncharacters\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 7 of 14\n\nEncryption\r\nAlgorithm\r\nChaCha \u0026 RSA ChaCha \u0026 RSA ChaCha \u0026 RSA\r\nRansom Demand\r\nMessage file\r\nname\r\nDECRYPT-FILES.txt RECOVER-FILES.txt RECOVER-FILES.txt\r\nDamage Encryption and extortion Encryption and extortion Encryption and extortion\r\nCyber Criminal\r\nContact\r\nTor browser website Tor browser website Tor browser website\r\nWebsite name Maze News Leaks, Leaks, Leaks. Egregor News\r\nAnother way to search for the connection between the three is to look at the infrastructure. The IP address\r\n185.238.0[.]233 different binaries, Zip files and scripts:\r\n• Maze ransomware binaries\r\n• Egregor ransomware binaries\r\n• Zip files contains the RClone binary and configuration files\r\nThe IP address is referred to by different scripts including the batch files that download the Egregor payload:\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 8 of 14\n\nChart describing the different samples found on 185.238.0[.]233\r\nIt is also worth mentioning the similarities in the ransom notes of the three. They have a very similar structure, and even\r\nsome “copy-paste” parts:\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 9 of 14\n\nComparison between the three ransomware’s ransom notes\r\nIn addition to the Maze and Egregor binaries found on this specific server, other samples were found on the server,\r\nrelated to Prolock ransomware, as analyzed in this report.\r\nCybereason Detection and Prevention\r\nCybereason is able to both detect and prevent the execution of Egregor, Sekhmet and Maze using the NGAV component.\r\nWhen the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect the\r\nattempt to encrypt files and raise a Malop for it:\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 10 of 14\n\nRansomware malop\r\ntriggered due to the malicious activity\r\nUsing the Anti-Malware feature with the right configuration (listed in the recommendations below), Cybereason will\r\nalso detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files:\r\nAnti Malware alert - Disinfecting the b.dll (Egregor payload)\r\nUser notification, Blocking\r\nthe execution of the ransomware in the endpoint\r\nIndicators of Compromise\r\nIOC Type Description\r\nf7bf7cea89c6205d78fa42d735d81c1e5c183041\r\n5a346fb957abeba389424dc57636edcacc58b5ba\r\n901cee60fba225baf80c976b10dfa1684a73f5ee\r\na6259615ea10c30421e83d20f4a4b5f2c41b45b8\r\nSHA1 Egregor DLL\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 11 of 14\n\n03cdec4a0a63a016d0767650cdaf1d4d24669795\r\n4ea064f715c2a5f4ed68f57029befd8f406671dd\r\nac634854448eb8fcd3abf49c8f37cd21f4282dde\r\n7bc6c2d714e88659b26b6b8ed6681b1f91eef6af\r\n0579da0b8bfdfce7ca4a45baf9df7ec23989e28b\r\n3a33de9a84bbc76161895178e3d13bcd28f7d8fe\r\nf7bf7cea89c6205d78fa42d735d81c1e5c183041\r\n986f69a43e0bf174f73139785ec8f969acf5aa55\r\nf1603f1ddf52391b16ee9e73e68f5dd405ab06b0\r\n5a346fb957abeba389424dc57636edcacc58b5ba\r\n901cee60fba225baf80c976b10dfa1684a73f5ee\r\na6259615ea10c30421e83d20f4a4b5f2c41b45b8\r\n4ea064f715c2a5f4ed68f57029befd8f406671dd\r\nac6d919b313bbb18624d26745121fca3e4ae0fd3\r\n95aea6b24ed28c6ad13ec8d7a6f62652b039765e\r\na786f383dfb90191aa2ca86ade68ee3e7c088f82\r\n631924a3567390a081dbd82072a6fc3a185c5073\r\n1be22505a25f14fff1e116fafcaae9452be325b1\r\na2d5700def24c3ae4d41c679e83d93513259ae4a\r\nSHA1 Egregor batch file\r\n45.153.242.129\r\n185.238.0.233\r\n49.12.104.241\r\nIPs C2\r\n34a466a0e55a930d8d7ecd1d6e6c9c750082a5fe SHA1 Zip containing RClone\r\n2edaa3dd846b7b73f18fa638f3e1bc3a956affa4 SHA1 Encoded PowerShell\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 12 of 14\n\nMITRE ATT\u0026CK BREAKDOWN\r\nInitial\r\nAccess\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nCommand\r\nand\r\nControl\r\nDiscovery\r\nLateral\r\nMovement\r\nExfiltration Impact\r\nPhishing\r\nValid\r\nAccounts\r\nGroup Policy\r\nModification\r\nIngress\r\nTool\r\nTransfer\r\nAccount\r\nDiscovery\r\nRemote\r\nServices\r\nExfiltration\r\nOver Web\r\nService\r\nData\r\nEncrypted\r\nfor\r\nImpact\r\n   \r\nImpair\r\nDefenses\r\n \r\nDomain\r\nTrust\r\nDiscovery\r\n \r\nExfiltration\r\nOver Web\r\nService\r\n \r\n   \r\nImpair\r\nDefenses:\r\nDisable or\r\nModify Tools\r\n \r\nPermission\r\nGroups\r\nDiscovery\r\n     \r\n    Masquerading  \r\nPermission\r\nGroups\r\nDiscovery:\r\nLocal\r\nGroups\r\n     \r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 13 of 14\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence,\r\nand enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack\r\nmethodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus\r\nTeam was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs-egregor-ransomware\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware"
	],
	"report_names": [
		"cybereason-vs-egregor-ransomware"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434681,
	"ts_updated_at": 1775791359,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b36eef5d7f7b4ed6fccb282f8bcc2dcd062ef074.pdf",
		"text": "https://archive.orkl.eu/b36eef5d7f7b4ed6fccb282f8bcc2dcd062ef074.txt",
		"img": "https://archive.orkl.eu/b36eef5d7f7b4ed6fccb282f8bcc2dcd062ef074.jpg"
	}
}