{
	"id": "472bc9ce-4c3a-40fa-a15a-065d09055266",
	"created_at": "2026-05-05T02:45:14.757911Z",
	"updated_at": "2026-05-05T02:46:36.945536Z",
	"deleted_at": null,
	"sha1_hash": "e14cfc5325f5ef226b6ca54dfb5e59d1cd54ff0e",
	"title": "The Locking Egregor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 841302,
	"plain_text": "The Locking Egregor\r\nArchived: 2026-05-05 02:05:10 UTC\r\nRegardless of a cybersecurity role in your organization, whether you are a SOC analyst, threat hunter, or CISO,\r\nthe more you know about the threat landscape relevant to your business and region the better you can protect your\r\nassets. But when it comes to ransomware, any big organization can be a target, and you should always be on\r\nguard. Especially, given that the major cybercrime trend of 2020 is Big Game Hunting.\r\nMore and more players join the game, disrupting more and more businesses all around the world. Ransomware\r\nitself, as well as attackers’ TTPs become increasingly complex, making detection and analysis really tough. One of\r\nsuch ransomware families, that came into the game quite recently, but already managed to «lock» quite\r\noutstanding victims, such as Crytek and Barnes \u0026 Noble – is Egregor.\r\nRecently Group-IB DFIR team observed Egregor ransomware operators actively using Qakbot (aka Qbot) to\r\ngain initial access, just like it was with Prolock not long ago. The close similarities in TTPs with earlier ProLock\r\ncampaigns indicate that Qakbot operators have likely abandoned ProLock for Egregor.\r\nEgregor has been actively distributed since September 2020. In less than 3 months Egregor operators have\r\nmanaged to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and\r\nItaly each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, Middle East, and Latin\r\nAmerica. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).\r\nEgregor victims\r\nRecent Qakbot campaigns\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 1 of 9\n\nIn September 2020, Emotet switched back to distributing Trickbot, so Qakbot operators had to distribute their\r\ntrojan without its help. To deliver the trojan, Qakbot operators used malicious Microsoft Excel documents\r\nimpersonating DocuSign-encrypted spreadsheets, and still prefer to use so-called “Email Thread Hijacking”\r\ntechnique.\r\nDocuSign decoy\r\nPost-Exploitation\r\nDuring our incident response engagements, we saw almost identical techniques to those we saw in attacks\r\ninvolving ProLock ransomware. Once initial access is gained, the threat actors used AdFind to collect Active\r\nDirectory information.\r\nAlso we’ve seen the same script to enable comfortable lateral movement – “rdp.bat”. It was used by the threat\r\nactors to modify registry and firewall rules to enable connections via Remote Desktop Protocol.\r\nTo compromise the whole network infrastructure, the threat actor used Cobalt Strike – an extremely popular post-exploitation tool we’ve seen in almost 70% of incidents involving Big Game Hunting operations this year.\r\nIn some cases, the threat actors also distributed Qakbot through the network via PsExec, just like in cases with\r\nProlock we observed in the past, they use a file named “md.exe” – that is the Qakbot binary.\r\nIn addition, they used Rclone for data exfiltration – the same masquerading technique was used, they renamed its\r\nbinary to svchost.exe and placed it to C:\\Windows.\r\nParts of exfiltrated data are published on Egregor’s Data Leak Site (DLS) to prove they not only locked the\r\nvictim’s network, but also stolen sensitive information:\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 2 of 9\n\nEgregor’s “Hall of shame”\r\nIf the victim refuses to pay, the threat actors publish the whole set of exfiltrated data:\r\nThe whole set of data exfiltrated from Crytek\r\nRansomware deployment\r\nThe threat actors used multiple techniques for ransomware deployment, in some cases even in a single attack,\r\nincluding abusing Background Intelligent Transfer Service (BITS), WMI command-line (WMIC) utility and\r\nPowerShell remote sessions. It’s interesting that the PowerShell script contains comments in Russian:\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 3 of 9\n\nA part of PowerShell script used to deploy Egregor ransomware\r\nRansomware analysis\r\nWe analyzed a sample of Egregor ransomware, which was obtained during one of our incident response\r\nengagements. Egregor is delivered as a DLL, and should be launched via rundll32 executable with the similar\r\ncommand line:\r\nrundll32.exe C:\\Windows\\q.dll,DllRegisterServer -password –-mode\r\nAfter calling the function DllRegisterServer, the next stage will be decoded, decrypted and executed. This stage is\r\nprotected using ChaCha8 stream cipher (the key and the nonce are stored inside the file) and Base64 encoding:\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 4 of 9\n\nThe next stage is also used as an encryption layer for the final payload, which could be decrypted only if the\r\ncorrect password is provided as an argument. This password is used as the key for HMAC-SHA256, and the input\r\ndata for HMAC-SHA256 is hardcoded within the program. After that, 10000 iterations of HMAC-SHA256 are\r\nused along with XOR operation to create a key for Rabbit stream cipher, which will be used to decrypt the final\r\npayload:\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 5 of 9\n\nThe final payload is highly obfuscated with junk instructions and a lot of jump and call obfuscation is used. We\r\nnoticed that Egregor obfuscation is very similar to the obfuscation used in another ransomware – Sekhmet). The\r\nstring obfuscation is likewise similar to Sekhmet and even the keys for decrypting the same strings are the\r\nidentical.\r\nWe noticed that the sequence of language checks is very similar to Sekhmet and Maze ransomware.\r\nThe main purpose of the Egregor (unsurprisingly) is to encrypt files. Files are encrypted using ChaCha8 stream\r\ncipher among with RSA-2048 asymmetric algorithm – the same scheme was used in Sekhmet and Maze\r\nransomware (key and nonce for ChaCha8 are generated randomly for each encrypted file):\r\nChaCha8 key and nonce generation in Egregor and Sekhmet\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 6 of 9\n\nChaCha8 key and nonce generation in Maze\r\nChaCha8 key and nonce is encrypted and added to the beginning of the encrypted file.\r\nLocal RSA-2048 keypair is generated for each infected computer; the local private key is encrypted by the public\r\nmaster key and then added to the “technical block” at the end of the ransom note (this block also contains the\r\nnumber of encrypted files, information about workstation and domain).\r\nTo check if it is able to encrypt file in specific directory, Egregor will try to create a shortcut in this directory (the\r\nname of the shortcut is equal to victim ID, which is generated based on hardware configuration of the computer).\r\nThe shortcut is created with the option FILE_FLAG_DELETE_ON_CLOSE, which allows to automatically\r\ndeleting this shortcut after the handle is closed.\r\nAfter all, the ransom note named RECOVER-FILES.txt will be created in each directory with encrypted files.\r\nHere is a template extracted from an Egregor sample:\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 7 of 9\n\nhttps://www.group-ib.com/blog/egregor\r\nPage 8 of 9\n\nThe largest ransom demand we observed was more than 4 000 000 $ in BTC.\r\nConclusion\r\nTactics, techniques and procedures observed are very similar to those seen in the past Qakbot’s Big Game Hunting\r\noperations. At the same time, we see that these methods are still very effective and allow threat actors to\r\ncompromise quite big companies successfully. It’s important to note, that the fact many Maze partners\r\nstarted to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known\r\nmethods associated with Maze affiliates.\r\nGeneral Recommendations\r\n1. If you’ve detected Qakbot infection in your network, make sure you handle it properly, and there’s no\r\nevidence of lateral movement.\r\n2. Make sure your security controls are able to detect and block Cobalt Strike usage.\r\n3. Focus on suspicious RDP connections as well as BITS, wmic and PowerShell abuse.\r\n4. Develop threat hunting capability for your team, so you can reduce attacker’s dwell time, and prevent\r\nsuccessful ransomware deployment.\r\n5. Make sure your team has updated cyber threat intelligence information to detect and prevent human-operated ransomware attacks.\r\n6. Learn what techniques and methods Threat Hunters use today through Group-IB’s Cyber Education\r\ncourses.\r\n7. Download the white paper “Egregor ransomware: The legacy of Maze lives on” for more TTPs,\r\ndetection and threat hunting tips.\r\nSource: https://www.group-ib.com/blog/egregor\r\nhttps://www.group-ib.com/blog/egregor\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/egregor"
	],
	"report_names": [
		"egregor"
	],
	"threat_actors": [],
	"ts_created_at": 1777949114,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e14cfc5325f5ef226b6ca54dfb5e59d1cd54ff0e.pdf",
		"text": "https://archive.orkl.eu/e14cfc5325f5ef226b6ca54dfb5e59d1cd54ff0e.txt",
		"img": "https://archive.orkl.eu/e14cfc5325f5ef226b6ca54dfb5e59d1cd54ff0e.jpg"
	}
}