{
	"id": "390cf579-66a0-43e0-8b98-a276aa0d5947",
	"created_at": "2026-04-06T00:19:37.474162Z",
	"updated_at": "2026-04-10T03:21:33.327044Z",
	"deleted_at": null,
	"sha1_hash": "ea9195c3d10948284300253793ac1e7f02a00a67",
	"title": "Egregor Ransomware DFIR Analysis Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31220,
	"plain_text": "Egregor Ransomware DFIR Analysis Report\r\nBy Author:\r\nArchived: 2026-04-05 17:45:42 UTC\r\nEgregor ransomware is part of the Sekhmet malware family that has been active since mid-September 2020.\r\nThe ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data,\r\nand demanding a ransom to exchange encrypted documents. Egregor is ransomware associated with the\r\ncyberattacks against GEFCO and Barnes \u0026 Noble, Ubisoft, and numerous others.\r\nThe SentinelOne Singularity platform fully protects our customers from this ransomware and related families.\r\nDFIR Analysis Report\r\nEgregor Ransomware\r\nExecutive Summary\r\n©2020 SentinelOne, All Rights Reserved\r\n©2020 SentinelOne, All Rights Reserved\r\nMultiple intelligence and security companies believe that there are ties\r\nbetween past Maze affiliates (now defunct) and Egregor. There have been\r\nreports of ties to Sekhmet, ProLock, and LockBit as well (both of which have\r\nalso been tied to Maze. With regards to Sekhmet, there are deep similarities in\r\nthe configuration format and obfuscation style. SentinelOne affiliated\r\nsecurity researcher Vitali Kremez noted these similarities in an early\r\nNovember tweet.\r\nAs is the case with other modern ransomware groups, the actors behind\r\nEgregor exfiltrate victim data and theatin to post it publically should the\r\nvictim fail to comply with their demands.\r\nThe primary distribution method for Egregor is Cobalt Strike. Targeted\r\nenvironments are therefore previously compromised through various means\r\n(RDP exploit, Phishing) and once the Cobalt Strike beacon payload is\r\nestablished and persistent, it can then be utilized to deliver and launch the\r\nEgregor payloads. That being said, Egregor is a RaaS, with multiple affiliates,\r\nand delivery/weaponization tactics can therefore vary. There have been\r\nlimited and uncorroborated reports of Egregor utilizing CVE-2020-0688 (a\r\nremote code execution flaw in Microsoft Exchange). They have also been\r\nshown to use LOTL (Living off the Land) tools (bitsadmin) to download or\r\nupdate components (DLLs). We have also observed the use of AdFind and\r\nSharphound for additional reconnaissance tasks.\r\nThreat Prominence \u0026 Analysis\r\nz\r\nhttps://assets.sentinelone.com/labs/Egregor\r\nPage 1 of 2\n\nSource: https://assets.sentinelone.com/labs/Egregor\r\nhttps://assets.sentinelone.com/labs/Egregor\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://assets.sentinelone.com/labs/Egregor"
	],
	"report_names": [
		"Egregor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434777,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea9195c3d10948284300253793ac1e7f02a00a67.pdf",
		"text": "https://archive.orkl.eu/ea9195c3d10948284300253793ac1e7f02a00a67.txt",
		"img": "https://archive.orkl.eu/ea9195c3d10948284300253793ac1e7f02a00a67.jpg"
	}
}