{
	"id": "50e95649-4296-45e3-813a-f331f4fc0ff4",
	"created_at": "2026-04-06T00:16:47.216394Z",
	"updated_at": "2026-04-10T03:21:16.257718Z",
	"deleted_at": null,
	"sha1_hash": "c15b4dfae4cd8d5c99e935d9c2a27928ea9e67d9",
	"title": "Egregor: Sekhmet’s Cousin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 725910,
	"plain_text": "Egregor: Sekhmet’s Cousin\r\nBy Tomas Meskauskas\r\nPublished: 2020-10-29 · Archived: 2026-04-05 21:31:24 UTC\r\nThe year 2020 will be remembered none too fondly for several reasons. For much of the world, the global\r\npandemic that resulted in many countries going into lockdowns resulting in massive disruptions to daily life will\r\nfeature prominently in humankind’s shared memory for some time. For the InfoSec community, it will be the\r\nunabashed use of the pandemic by hackers to further their goals. Moreso, the community will remember the year\r\nransomware gangs became even more ruthless and began leaking data of those victims who refuse to pay the\r\nransom.\r\nIn a year that has already seen several new families cropping up, a new ransomware strain has joined the ranks of\r\nthose looking to apply increased pressure on victims by leaking sensitive and confidential data.\r\nEgregor, Occult in Name\r\nThe name of the new ransomware strain, Egregor, is derived from Western Occult traditions and is seen as the\r\ncollective energy of a group of people, especially when aligned to a common goal. The name is appropriate on\r\nsome level, as ransomware gangs tend to be aligned for the purpose of extorting funds from victims. This is\r\ncertainly not a purpose for the common good, but nonetheless a purpose is a purpose and, as with practitioners of\r\nmagic, no rule says they must be good. This rule most certainly applies to those behind Egregor.\r\nNot too much is known about the ransomware and the tactics employed by the gang, as researchers are looking to\r\nreverse-engineer samples they have acquired. The first mention of the ransomware on a public forum occurred\r\nSept. 18. Since then, researchers have begun to uncover the ransomware’s mysteries. What is currently agreed\r\nupon is that Egregor does seem to be closely related to Sekhmet, which, being discovered in March, is older than\r\nits cousin by only a couple of months. According to researchers, the similarities between the two variants include\r\nsimilar tactics, obfuscation, API calls and ransom notes, to name a few. Regarding Egregor technical details,\r\nresearchers noted,\r\n“The sample we analyzed has many anti-analysis techniques in place, such as code obfuscation and\r\npacked payloads. Also, in one of the execution stages, the Egregor payload can only be decrypted if the\r\ncorrect key is provided in the process’ command line, which means that the file cannot be analyzed,\r\neither manually or using a sandbox, if the exact same command line that the attackers used to run the\r\nransomware isn’t provided. Furthermore, our team found the “Egregor news” website, hosted on the\r\ndeep web, which the criminal group uses to leak stolen data.”\r\nThe InfoSec community at large must be eagerly awaiting a technical writeup to better defend networks against\r\nthe threat posed by Egregor. However, this may be delayed—while the ransomware employs the same level of\r\nsophisticated code and functionality as many of its rivals, it seems to have an ace in the hole preventing analysis.\r\nThe ransomware boasts a high number of anti-analysis techniques including code obfuscation and payload\r\nhttps://securityboulevard.com/2020/10/egregor-sekhmets-cousin/\r\nPage 1 of 5\n\nencryption, making the reverse engineering process harder than what researchers wished. What is not shrouded in\r\nmystery is the tactic of threatening to release stolen data if ransomware demands are not met within three days.\r\nVictim Numbers Increasing\r\nAccording to the website used by Egregor to announce what data the group has stolen and providing a small\r\namount to prove the data’s origin, the gang has amassed 13 victims so far, three of which have managed to make\r\nnews headlines. It is important to note that two of the three cases still need to be confirmed by the victims that\r\nthey suffered a ransomware attack; however, there is a sufficient amount of evidence to suggest they have and\r\nEgregor may have been the culprit.\r\nThe latest of these victims to make headlines was U.S. brick-and-mortar bookstore giant Barnes and Noble. While\r\nthe InfoSec community is still awaiting confirmation by the affected company, Barnes and Noble did make a\r\nstatement to the public confirming a cyber incident that may have compromised customer data. That being said,\r\nseveral researchers believe the company may have suffered a ransomware incident—in particular, Egregor. The\r\nassumption is based on several things, including how the company networks were affected, resulting in increased\r\nperiods of downtime preventing customers from accessing certain services.\r\nEgregor ransom-demanding message:\r\nFiles encrypted by this ransomware:\r\nhttps://securityboulevard.com/2020/10/egregor-sekhmets-cousin/\r\nPage 2 of 5\n\nTor website of Egregor ransomware:\r\nhttps://securityboulevard.com/2020/10/egregor-sekhmets-cousin/\r\nPage 3 of 5\n\nThe most convincing evidence, although rather strange, is the data released by the gang via their leak site. As is\r\noften the case, ransomware gangs release data that can be easily traceable to the victim as proof they indeed have\r\ndone what they said they have. This invariably means the leak of documents; however, the Egregor gang released\r\ntwo Windows Registry hives supposedly taken from Barnes and Noble’s servers. The ransomware gang contends\r\nthat it successfully stole financial data about audits from the company; however, while the leak of the data\r\nindicates they in all likelihood may have been behind the attack, the evidence is far from conclusive.\r\nThe other two victims to make headlines were games industry giants Crytek and Ubisoft. The former confirmed\r\nthat it had been hit by a ransomware attack and nearly 400MB of data belonging to the game’s developer have\r\nbeen released by the Egregor gang. The data pertained to the company’s popular “Warface” first-person shooter\r\nand the now-canceled “Arena of Fate MOBA” game as well as some of the company’s network operations. The\r\ngang also claimed that it stole the source code for Ubisoft’s upcoming title “Watchdogs: Legion”; to prove the\r\nclaim, the gang released 20MB of data it said is in-game assets for the game. The assets themselves don’t prove\r\nbeyond a shadow of a doubt that they belong to Ubisoft and could have been stolen from elsewhere. Ubisoft has\r\nnot confirmed whether an incident did indeed take place; however, it is believed that Ubisoft employees have\r\nsuffered from phishing attacks in the past. This, too, is speculation, as the company refuses to respond to questions\r\nposed by both journalists and security researchers.\r\nhttps://securityboulevard.com/2020/10/egregor-sekhmets-cousin/\r\nPage 4 of 5\n\nEgregor’s Cousin Sekhmet\r\nGiven how little the public knows about Egregor, it is wise to look at its cousin Sekhmet. The name given to the\r\nransomware is from Ancient Egyptian mythology, which says Sekhmet was the warrior goddess of healing.\r\nAncient Egyptian mythology has strong links to many Western occult traditions, so at the very least the gang\r\nbehind both appears to have a naming convention in place. Sekhmet is older by a few months, but both share\r\ntactics such as leaking data from victims via a dedicated website. Unfortunately, as with Egregor, technical details\r\nabout the ransomware strain are thin. At the time of writing, no information is available regarding how the\r\nmalware is distributed, the infection chain or attack vectors. Researchers believe that Sekhmet may be dropped by\r\nother malware or downloaded via malicious websites, but little else about the ransomware is public knowledge.\r\nIn June, news emerged that two companies had suffered a Sekhmet infection. The first, IT firm Excis, was\r\nannounced at the end of May by those operating the ransomware, who subsequently released data supposedly\r\nbelonging to the IT firm on its leak site called “leaks, leaks, leaks.” The operators released the data in response to\r\nthe company director saying that no important data was stolen. The second victim, SilPac, a gas handling solutions\r\ncompany based in Santa Clara, California, appeared to have been affected later in June; the gang attacked the\r\ncompany twice in short succession. Again, the attacks were announced via Sekhmet’s leak site. It is believed that\r\nthe attackers managed to retain a presence on the victim’s network even after encryption occurred.\r\nThe Age of the Leak Site\r\nMany high-profile ransomware gangs that seemingly only target large corporate networks operate leak sites. The\r\nlist seems to grow unabated from month to month. The flood of bad news can leave individuals feeling helpless\r\nbut, importantly, these attacks are preventable. In recent months ransomware operators have targeted known\r\nvulnerabilities with VPN servers, and although these attacks have been well-publicized, some corporate networks\r\nare still vulnerable. Gaining access to a corporate network is now a big business, as “initial access brokers” look to\r\nsell access to networks they have compromised. Ransomware operators are potential clients, with some even\r\nlooking to bring in talent as affiliates who can compromise networks and then drop the ransomware payload.\r\nGiven the high number of high-profile victims that have emerged this year alone, this trend of new ransomware\r\nstrains creating leak sites is expected to continue for some time. Although these attacks are preventable, some\r\nsecurity researchers are suggesting that ransom payments be made illegal to try and curb the current threat posed\r\nby ransomware. The hope is that such laws would dissuade payments and dry up the profits generated by\r\nransomware gangs. The call to make ransom payments may be extreme and seen as punishing the victim of the\r\ncrime rather than the perpetrator, but measures to prevent these attacks seem to be failing.\r\nRecent Articles By Author\r\nSource: https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/\r\nhttps://securityboulevard.com/2020/10/egregor-sekhmets-cousin/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/"
	],
	"report_names": [
		"egregor-sekhmets-cousin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434607,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c15b4dfae4cd8d5c99e935d9c2a27928ea9e67d9.pdf",
		"text": "https://archive.orkl.eu/c15b4dfae4cd8d5c99e935d9c2a27928ea9e67d9.txt",
		"img": "https://archive.orkl.eu/c15b4dfae4cd8d5c99e935d9c2a27928ea9e67d9.jpg"
	}
}