{
	"id": "3f8e5133-a558-4719-830a-7e8d1bb5e25c",
	"created_at": "2026-04-06T00:16:31.866239Z",
	"updated_at": "2026-04-10T03:20:59.456893Z",
	"deleted_at": null,
	"sha1_hash": "b94298735117df2fbda772f2fcf8276489bb670c",
	"title": "Egregor operation takes huge hit after police raids",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30517,
	"plain_text": "Egregor operation takes huge hit after police raids\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 23:47:41 UTC\r\nLaw enforcement action carried out last week in Ukraine has targeted the people behind some of the most\r\nnotorious ransomware gangs of the past year.\r\nOn Feb. 9, 2021, Ukrainian law enforcement conducted a joint operation with U.S. and French authorities against\r\nseveral Ukrainian nationals believed to be deeply involved with Egregor ransomware operations. Intel 471 has\r\nlearned that authorities targeted the purported ring leaders, as well as associates who helped run the related\r\naffiliate programs. Egregor is responsible for hundreds of ransomware attacks against high-profile targets\r\nworldwide since September 2020. According to law enforcement, over 150 companies have been hit by Egregor,\r\nresulting in losses of more than US$80 million.\r\nThe raid has hit Egregor hard. Following the law enforcement action, Egregor’s blog, used to shame victims that\r\ndidn’t pay ransoms, was taken offline. Additionally, one of the associates appears to have deactivated his profile\r\non one of the most popular forums on the cybercriminal underground.\r\nWhile not confirmed by law enforcement, the arrests point to links between the Egregor operations and the Maze\r\nransomware gang. In the late stages of 2020, Maze announced it was shutting down, with operations shifting to\r\nEgregor. It is widely believed among threat intelligence professionals that a large portion of the affiliates that were\r\nattached to Maze followed the move to Egregor. Members of those affiliate programs were either raided or\r\narrested last week.\r\nIt is unclear how many people were targeted in the raid, but several Ukrainian press releases say the “organizer”\r\nwas arrested. Intel 471 will continue to watch how the greater cybercrime underground reacts to the actions taken\r\nby law enforcement.\r\nSource: https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware\r\nhttps://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware"
	],
	"report_names": [
		"egregor-arrests-ukraine-sbu-maze-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434591,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b94298735117df2fbda772f2fcf8276489bb670c.pdf",
		"text": "https://archive.orkl.eu/b94298735117df2fbda772f2fcf8276489bb670c.txt",
		"img": "https://archive.orkl.eu/b94298735117df2fbda772f2fcf8276489bb670c.jpg"
	}
}