{
	"id": "cbffc0c7-8175-4bc3-93b3-360af7c38414",
	"created_at": "2026-04-06T00:10:46.091264Z",
	"updated_at": "2026-04-10T03:22:01.69324Z",
	"deleted_at": null,
	"sha1_hash": "b85885bb1a6d89c7d04636c6ef6c463a57c00a40",
	"title": "Egregor Ransomware Launches String of High-Profile Attacks to End 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 282723,
	"plain_text": "Egregor Ransomware Launches String of High-Profile Attacks to\r\nEnd 2020\r\nBy By: Trend Micro Research Dec 14, 2020 Read time: 3 min (870 words)\r\nPublished: 2020-12-14 · Archived: 2026-04-05 12:41:19 UTC\r\nIn late 2020, the operators behind Maze ransomware, one of the more notorious ransomware families in recent\r\nmemory, announced that they were shutting down operationsnews article. However, in just a short period after\r\nMaze’s retirement, the ransomware known as Egregor has stepped in to fill the void, allegedly becoming the\r\nransomware of choice for previous Maze affiliates. Like Maze, Egregor makes use of a “double extortion”\r\ntechnique where the ransomware operators threaten the victim not only with the loss of their data, but with a\r\nwarning that their data will go public if they fail to pay the ransom.\r\nWhat is Egregor?\r\nA sophisticated piece of ransomware that first surfaced around September 2020, Egregor has since been involved\r\nin a number of high-profile attacks in a short period, including attacks that were launched against major retailers\r\nand other organizations.\r\nThis ransomware is often distributed as a payload along with remote access trojans (RATs) such as QAKBOT. In\r\nturn, QAKBOT has been previously observed to be connected with the MegaCortex and ProLock ransomware\r\nfamilies, which indicates either a possible partnership between QAKBOT and Egregor or a new payload from the\r\nQAKBOT threat actors.\r\nSimilar to the double extortion technique used by the new breed of ransomware families such as Ryuk, Egregor\r\npressures the victim to pay by threatening to release stolen information. In addition to encrypting data, operators\r\nbehind Egregor also make threats about informing mass media — and hence, the public — that the company has\r\nbeen compromised.\r\nOn the surface, Egregor seems like a copy of the Sekhmet ransomware, as it shares most of its codes and routines,\r\nmost notable of which are its obfuscation techniques, functions, as well as API calls and strings. Furthermore, like\r\nSekhmet, it also appends a random extension per file. However, it is possible that Egregor and Sekhmet are\r\noperated by entirely different groups given the differences between the data leak sites that are used by the two.\r\nAlthough there is no concrete information on how exactly Egregor gains initial access, it is likely that it uses\r\ntechniques that are similar with other targeted ransomware such as RDP hacks, compromised websites, or stolen\r\naccounts.\r\nOne of Egregor’s defining characteristics is its use of advanced obfuscation techniques, wherein it requires a\r\nspecific argument to decrypt the payload, thereby making it difficult to perform static or dynamic analysis on the\r\nransomware variant without this argument.\r\nhttps://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html\r\nPage 1 of 3\n\nAccording to the Egregor ransom note, victims that manage to pay the ransom will not only have their data\r\ndecrypted. In fact, the threat actors also offer to provide recommendations for securing the company's network.\r\nA simplified version of its attack chain can be found in the following figure:\r\nFigure 2. Egregor attack chain\r\nFrom our Trend Micro™ Smart Protection Network ™ data, Egregor has been active primarily in the US, with\r\nJapan and the UK also seeing a number of infections.\r\nWhat are the recent incidents involving Egregor?\r\nA number of Egregor’s attacks have occurred against high profile targets, including a leading bookstore in October\r\nand a major retailer in December. In the former, the ransomware operators behind Egregor claimed to have\r\ngathered unencrypted financial and auditing data, although the precise nature of the data that was stolen is unclear.\r\nEgregor has also been observed printing ransom notesopen on a new tab. Based on our analysis, printing ransom\r\nnotes was not intentional on the operators’ end. Rather, it occurred as part of the ransomware’s encryption routine,\r\nwhich enumerates any type of network resources ؙ— including printer resources. It then connects to the network\r\nresource to encrypt files and drop the ransom note. It’s also possible that the printers and point-of-sale (POS)\r\nmachines were connected to the infected machines, which resulted in the ransom notes being physically printed.\r\nOther recent victims of Egregor include major organizations in both the gaming and human resources industries.\r\nHow can the impact of Egregor and other ransomware be minimized?\r\nAlthough there is still no concrete evidence on how Egregor gains initial access to the system, other ransomware\r\nvariants such as Maze are known to exploit vulnerabilities as part of their routine. Therefore, it is important for\r\norganizations to patch and update their systems’ software to address any exploitable vulnerabilities. Additionally,\r\nbusinesses are encouraged to keep their machines and their systems updated to prevent this from happening.\r\nBusinesses should also perform regular security audits of their systems to ensure that they are as secure as\r\npossible. Company data should also be periodically backed up whenever possible, preferably by adhering to the 3-\r\n2-1 rulenews article, which involves keeping three copies in two different formats with at least one copy off-site.\r\nhttps://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html\r\nPage 2 of 3\n\nMeanwhile, employees should be given proper training on the best practices for cybersecurity, especially when it\r\ncomes to the common initial access techniques used by ransomware, such as email-based attacksnews-cybercrime-and-digital-threats and compromised websites.\r\nFor a more robust and proactive line of defense against ransomware, we recommend the following Trend Micro\r\nsolutions:\r\nTrend Micro Smart Protection Suitesproducts applies AI and analytics for earlier detection of threats across\r\nendpoints and other layers of the system.\r\nTrend Micro™ Deep Discovery™ Inspectorproducts detects, blocks, and analyzes malicious email\r\nattachments through custom sandboxing and other detection techniques.\r\nSource: https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html"
	],
	"report_names": [
		"egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b85885bb1a6d89c7d04636c6ef6c463a57c00a40.pdf",
		"text": "https://archive.orkl.eu/b85885bb1a6d89c7d04636c6ef6c463a57c00a40.txt",
		"img": "https://archive.orkl.eu/b85885bb1a6d89c7d04636c6ef6c463a57c00a40.jpg"
	}
}