{
	"id": "7d18d91a-e1f4-47df-9702-69f6935ab5a8",
	"created_at": "2026-04-06T01:30:36.509632Z",
	"updated_at": "2026-04-10T03:21:57.311265Z",
	"deleted_at": null,
	"sha1_hash": "b9dd25586c30dd480980a9677076d3258a170351",
	"title": "Appgate Labs Analyzes New Family of Ransomware— “Egregor”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32104,
	"plain_text": "Appgate Labs Analyzes New Family of Ransomware— “Egregor”\r\nPublished: 2020-10-02 · Archived: 2026-04-06 00:40:31 UTC\r\nMIAMI, FL – October 2, 2020 – This week our team analyzed a new family of ransomware that calls itself\r\n\"Egregor\", which seems to be a Sekhmet ransomware spin-off.\r\nThe threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and\r\nthen running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the\r\ncompany within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where\r\nthe company's partners and clients will know that the company was attacked.\r\nThe sample we analyzed has many anti-analysis techniques in place, such as code obfuscation and packed\r\npayloads. Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is\r\nprovided in the process' command line, which means that the file cannot be analyzed, either manually or using a\r\nsandbox, if the exact same command line that the attackers used to run the ransomware isn't provided.\r\nFurthermore, our team found the \"Egregor news\" website, hosted on the deep web, which the criminal group uses\r\nto leak stolen data.\r\nAt the time of this advisory, there is at least 13 different companies listed in their \"hall of shame\", including the\r\nglobal logistic company GEFCO, which suffered a cyber attack last week. Egregors' ransom note also says that\r\naside from decrypting all the files in the event the company pays the ransom, they will also provide\r\nrecommendations for securing the company's network, \"helping\" them to avoid being breached again, acting as\r\nsome sort of black hat pentest team.\r\nAbout Appgate\r\nAppgate is the secure access company that provides cybersecurity solutions for people, devices and systems based\r\non the principles of Zero Trust security. Appgate updates IT systems to combat the cyber threats of today and\r\ntomorrow. Through a set of differentiated cloud and hybrid security products, Appgate enables enterprises to\r\neasily and effectively shield against cyber threats. Appgate protects more than 1,000 organizations across\r\ngovernment and business. Learn more at appgate.com.\r\nSource: https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor\r\nhttps://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor"
	],
	"report_names": [
		"appgate-labs-analyzes-new-family-of-ransomware-egregor"
	],
	"threat_actors": [],
	"ts_created_at": 1775439036,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9dd25586c30dd480980a9677076d3258a170351.pdf",
		"text": "https://archive.orkl.eu/b9dd25586c30dd480980a9677076d3258a170351.txt",
		"img": "https://archive.orkl.eu/b9dd25586c30dd480980a9677076d3258a170351.jpg"
	}
}