{
	"id": "ae61cd74-907a-4827-8a3c-6dccf16e8b80",
	"created_at": "2026-04-06T00:12:10.416477Z",
	"updated_at": "2026-04-10T03:21:43.466166Z",
	"deleted_at": null,
	"sha1_hash": "e845f9daa2f60300088c3ff529966b5cf8455657",
	"title": "Threat profile: Egregor ransomware is making a name for itself | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1014573,
	"plain_text": "Threat profile: Egregor ransomware is making a name for itself |\r\nMalwarebytes Labs\r\nBy Pieter Arntz\r\nPublished: 2020-12-14 · Archived: 2026-04-05 15:53:03 UTC\r\nWhat is Egregor?\r\nEgregor ransomware is a relatively new ransomware (first spotted in September 2020) that seems intent on\r\nmaking its way to the top right now. Egregor is considered a variant of Ransom.Sekhmet based on similarities in\r\nobfuscation, API-calls, and the ransom note.\r\nAs we’ve reported in the past, affiliates that were using Maze ransomware started moving over to Egregor even\r\nbefore the Maze gang officially announced they were calling it quits. Egregor has already targeted some well-known victims like Barnes \u0026 Noble, Kmart and Ubisoft.\r\nHow does Egregor spread?\r\nThe primary distribution method for Egregor is Cobalt Strike. Targeted environments are initially compromised\r\nthrough various means (RDP probing, phishing) and once the Cobalt Strike beacon payload is established and\r\npersistent, it is then used to deliver and launch the Egregor payloads.\r\nBut since Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates, the delivery and\r\nweaponization tactics can vary. We’ve also seen it being spread via phishing emails recently. The attack typically\r\nunfolds in two steps: initial compromise with email lure that drops Qakbot, followed by the actual Egregor\r\nransomware. The latter is deployed manually by the attackers who have previously gained access as a result of the\r\ninitial compromise.\r\nhttps://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/\r\nPage 1 of 5\n\nThere have also been some reports of Egregor utilizing CVE-2020-0688 (a remote code execution flaw in\r\nMicrosoft Exchange). Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine),\r\nCVE-2018-4878 (Adobe Flash Player), and CVE-2018-15982 (Adobe Flash Player).\r\nThe most common attack method seems to entail an initial spray-and-pray tactic, after which the threat actors\r\nmake a selection of the available openings. They will obviously go for the easiest and most profitable ones based\r\non primary reconnaissance data from the first stage of the attack. They will then try to enlarge their foothold on\r\nthe breached network and look for the data and servers that are most critical for the victim. This will give the\r\nattackers extra leverage and a bigger chance to cash in their ransom demand.\r\nEgregor does not seem to have a geographical preference, even though Sekhmet has seemed to focus on the US in\r\nthe past 7 weeks.\r\nEgregor threatens to leak exfiltrated data\r\nAccording to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part\r\nof the stolen data, the attackers will announce the breach through mass media so the company’s partners and\r\nclients will know that the company was victimized.\r\nhttps://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/\r\nPage 2 of 5\n\nIn all three the cases we mentioned earlier, the attackers published information on a leak site showing that they\r\nhad accessed files during the attack, but didn’t necessarily reveal source code or anything particularly sensitive.\r\nEducation by the hands-on experts\r\nA very typical trait of the Egregor ransomware is that the attackers offer to educate their victims in order to help\r\nthem escape future attacks.\r\nhttps://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/\r\nPage 3 of 5\n\nCybersecurity advice is promised to those victims that pay the ransom as an extra bonus. What these\r\nrecommendations look like is unknown at the time of writing. A truthful explanation about how the victim in\r\nquestion was infected, infiltrated, and how data was exfiltrated would certainly help in a forensic investigation of\r\nthe incident.\r\nEgregor victim Randstad\r\nOne of the latest victims seems to be Netherlands-based Randstad, one of the largest recruitment- and head-hunting agencies in the world. In its press release, Randstad specifically calls out Egregor as the attacker.\r\n“We believe the incident started with a phishing email that initiated malicious software to be installed,” a\r\nRandstad spokesperson said in an email.\r\nThe press release confirms the stolen data but is unclear about the exact content.\r\n“To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful\r\naccess to our global IT environment and to certain data, in particular related to our operations in the US,\r\nPoland, Italy and France. They have now published what is claimed to be a subset of that data.”\r\nDepending on the stolen data, and given the line of business, the content could be very sensitive and confidential.\r\nAccording to Randstad, the company was able to limit the impact, and the stolen data are in particular related to\r\ntheir operations in the US, Poland, Italy and France.\r\nhttps://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/\r\nPage 4 of 5\n\nThird party cybersecurity and forensic experts were engaged to assist with the investigation and remediation of the\r\nincident.\r\nIOCs\r\nTor Onion URLs:\r\negregorwiki.top\r\nwikiegregor.top\r\nsekhmet.top\r\nsekhmetleaks.top\r\nSHA256 hashes:\r\n4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321\r\naee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7\r\nRansom note:\r\nRECOVER-FILES.txt (some parts of the ransom note can be seen in the article)\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/\r\nhttps://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/"
	],
	"report_names": [
		"threat-profile-egregor-ransomware-is-making-a-name-for-itself"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434330,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e845f9daa2f60300088c3ff529966b5cf8455657.pdf",
		"text": "https://archive.orkl.eu/e845f9daa2f60300088c3ff529966b5cf8455657.txt",
		"img": "https://archive.orkl.eu/e845f9daa2f60300088c3ff529966b5cf8455657.jpg"
	}
}