{
	"id": "0c3578f8-494d-488f-8434-35819ae8a5a8",
	"created_at": "2026-04-06T00:16:03.885747Z",
	"updated_at": "2026-04-10T03:20:59.473605Z",
	"deleted_at": null,
	"sha1_hash": "d466c0cf1704acfa6c2891b63fee85c4697acf6b",
	"title": "Egregor ransomware group explained: And how to defend against it",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53704,
	"plain_text": "Egregor ransomware group explained: And how to defend against\r\nit\r\nBy by Cynthia Brumfield Contributing Writer\r\nPublished: 2021-02-19 · Archived: 2026-04-05 20:16:57 UTC\r\nNewly emerged Egregor group employs \"double ransom\" techniques to threaten\r\nreputational damage and increase pressure to pay.\r\nWhat is Egregor?\r\nEgregor is one of the most rapidly growing ransomware families. Its name comes from the occult world and is\r\ndefined as “the collective energy of a group of people, especially when aligned with a common goal,” according to\r\nRecorded Future’s Insikt Group. Although descriptions of the malware vary from security firm to security firm,\r\nthe consensus is that Egregor is a variant of the Sekhmet ransomware family.\r\nIt arose in September 2020, at the same time the Maze ransomware gang announced its intention to shut down\r\noperations. Affiliates who were part of the Maze group appear, however, to have moved on to Egregor without\r\nskipping a beat.\r\nInsikt and Palo Alto Networks’ Unit 42 think Egregor is associated with commodity malware such as Qakbot,\r\nwhich became prominent in 2007 and uses a sophisticated, evasive worm to steal financial credentials, as well as\r\nother off-the-shelf malware such as IcedID and Ursnif. These pieces of malware help attackers gain initial access\r\nto victims’ systems.\r\nAll security researchers seem to agree with Cybereason’s Nocturnus Team that Egregor is a rapidly emerging,\r\nhigh-severity threat. According to security firm Digital Shadows, Egregor has claimed at least 71 victims across\r\n19 different industries worldwide.\r\nUpdate: On February 9, a joint operation by US, Ukrainian, and French authorities resulted in the arrest of gang\r\nmembers behind Egregor as well as associates who were part of their affiliate program. The leader of the Egregor\r\ngroup was reportedly among those arrested. The group’s website was also taken offline. It is too early to know\r\nwhether this action has taken Egregor down permanently.\r\nEgregor’s double extortion undercuts traditional defenses\r\nLike most current ransomware variants used in the wild, Egregor uses “double extortion,” relying on a “Hall of\r\nShame” or publicly accessible stolen data on leak pages to pressure victims into paying the ransom. Among the\r\nhigh-profile Egregor victims are Kmart, the Vancouver metro system, Barnes and Noble, video game developers\r\nUbisoft and Crytek, and the Dutch human resources firm Randstad, from which the attackers stole data, a portion\r\nof which they published to the web.\r\nhttps://www.csoonline.com/article/3602148/egregor-ransomware-group-explained-and-how-to-defend-against-it.html\r\nPage 1 of 3\n\nLike many internet criminals, Egregor attackers have considered healthcare facilities and hospitals to be fair game\r\nduring the coronavirus crisis. One health care provider that had to reduce some functions due to an Egregor\r\nransomware attack is GBMC Healthcare in Maryland, which got hit in early December, 2020. The company said it\r\nhad robust protections in place but nonetheless was forced to postpone some elective procedures.\r\nThe double extortion, or double ransom, characterizes this new breed of ransomware, undercutting the previous\r\ndefense that most companies could deploy, which is to keep robust backups if attackers encrypted files. Egregor\r\n“just emerged really a couple of months ago and especially in September where it really started hitting all over the\r\nworld, basically around the same time just when Maze ransomware operators” supposedly shut down, Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, tells CSO.\r\n“If you have good offline backups and you know they work, if you’re hit by ransomware, it’s not that big of an\r\nissue,” she says. “You take a hit for business purposes and downtime potentially, but if you have good backups,\r\nyou’ve already kind of built that into your recovery plan.”\r\nNow groups like Egregor have “gotten wise to that idea. So, they’re saying, ‘Well, we’ve already stolen your data,\r\nso you have to pay us for that. Or we’re just going to release it publicly and potentially ruin your business, or at\r\nleast damage your business’s reputation.’  That takes away the good backup story that has worked for so long,”\r\nMiller-Osborn says. “We saw that with Maze, and we’re continuing to see that with Egregor.”\r\nAs was true with Maze, Egregor is being sold as a ransomware-as-a-service (RaaS), with the gang selling it or\r\nrenting it to other people to use maliciously. Some of the same affiliates of Maze have shifted over to Egregor, “so\r\nit seems that will be the next big thing post-Maze until someone else gets wise and comes up with a more creative\r\nvariant,” Miller-Osborn says.\r\nHow to defend against Egregor\r\nWhen it comes to protecting against the double ransom component of Egregor, stronger protections can help,\r\nMiller-Osborn says. “Ransomware typically is not particularly complicated. It’s not super-stealthy malware in\r\nmost cases.”\r\nA lot of ransomware infections come from phishing. “It remains hands-down the most common infection vector,”\r\nso better protections and training around phishing could help. “Be careful about opening those emails; be careful\r\nabout clicking on those links. It’s the same kind of thing we say constantly, but that’s the simplest thing you can\r\ndo to avoid a ransomware attack.”\r\n“Internally there are some things companies can do in keeping their most sensitive data in enclaves,” Miller-Osborn said, “basically not having a flat network and recognizing what the most sensitive or potentially\r\ncatastrophic loss data is.” For the most sensitive data, organizations should consider having an extra sensor, with\r\nextra monitored higher-level security controls than you might have for other parts of the network, she\r\nrecommends. “Obviously, all of that costs money and is non-trivial.”\r\nAny organization’s highly sensitive data will also likely be the target of corporate or state-sponsored espionage\r\nthreats, so investing in the protection of those kinds of records is just overall a good idea. “The same kind of\r\nsensitive data that the ransomware actors are potentially going after and exfiltrating can also be the same kind of\r\nhttps://www.csoonline.com/article/3602148/egregor-ransomware-group-explained-and-how-to-defend-against-it.html\r\nPage 2 of 3\n\ndata that an espionage motivated threat would be interested in,” says Miller-Osborn. “So just having that data\r\nbetter protected and harder to access is good.”\r\nWith training and increased network protection, it is possible to stop and block ransomware, Miller-Osborn says.\r\n“It just involves having the right security components configured properly and in the right places. It’s a security\r\nposture design thing.”\r\nIn terms of Egregor’s connection to the Maze group, “We don’t have a definitive smoking gun, but a lot of little\r\nthings lead us to believe it’s the same people,” Miller-Osborn says. It’s not uncommon to see this with commodity\r\nmalware, where a group will claim to shut down only to pop up later as a rebranded version, and it’s the same\r\nperson or people. “It looks like they do that because there is too much attention on them. There’s too much press.\r\nThere’s too much law enforcement looking for them,” she says. “All they’re trying to do is just separate\r\nthemselves from that previous family, for whatever reason.”\r\nUnfortunately, this new era of highly damaging ransomware typified by the Egregor malware’s rise won’t end\r\nanytime soon. “This is just going to continue. I think we’re going to see more actors, especially on the criminal\r\nside of the house, starting to take advantage of this. They recognize how much money they can potentially make\r\ndoing it.”\r\nEditor’s note: This article, originally published in January 2021, has been updated to include information on the\r\ntake-down of the Egregor group.\r\nSource: https://www.csoonline.com/article/3602148/egregor-ransomware-group-explained-and-how-to-defend-against-it.html\r\nhttps://www.csoonline.com/article/3602148/egregor-ransomware-group-explained-and-how-to-defend-against-it.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.csoonline.com/article/3602148/egregor-ransomware-group-explained-and-how-to-defend-against-it.html"
	],
	"report_names": [
		"egregor-ransomware-group-explained-and-how-to-defend-against-it.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434563,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d466c0cf1704acfa6c2891b63fee85c4697acf6b.pdf",
		"text": "https://archive.orkl.eu/d466c0cf1704acfa6c2891b63fee85c4697acf6b.txt",
		"img": "https://archive.orkl.eu/d466c0cf1704acfa6c2891b63fee85c4697acf6b.jpg"
	}
}