{
	"id": "4ff2ea1c-d401-4854-b7d2-e06e61e5a790",
	"created_at": "2026-04-06T01:30:54.258175Z",
	"updated_at": "2026-04-10T13:12:16.087154Z",
	"deleted_at": null,
	"sha1_hash": "feb9b3cc0db88edbd59b01a8f1dd152ad6425b53",
	"title": "Threat Assessment: Egregor Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 164572,
	"plain_text": "Threat Assessment: Egregor Ransomware\r\nBy Doel Santos, Brittany Barbehenn, Robert Falcone\r\nPublished: 2020-12-09 · Archived: 2026-04-06 00:28:45 UTC\r\nExecutive Summary\r\nSince September 2020, Unit 42 researchers have observed Egregor ransomware affecting multiple industries\r\nglobally, including those within the U.S, Europe, Asia Pacific and Latin America, following the decline in\r\noperations utilizing the Maze ransomware. Egregor operations mimic that of Maze operations, leading us to\r\nbelieve that although Maze operators announced a shutdown of the “Maze Team Project,” the operators behind\r\nthose activities have simply developed a new ransomware to move their objectives forward.\r\nDue to the surge in Egregor ransomware activity, we’ve created this general threat assessment for overall threat\r\nawareness. Full visualization of the techniques observed and their relevant courses of action can be viewed in the\r\nUnit 42 ATOM Viewer.\r\nMalware Overview\r\nEgregor is a variant of the Sekhmet ransomware family. It has been observed since at least September 2020,\r\naround the same time when Maze ransomware operators announced an intent to shut down their operations.\r\nAffiliates who utilized the Maze ransomware to conduct their activities now appear to have likely moved on to\r\nEgregor to avoid disrupting their operations.\r\nMaze ransomware leveraged malware such as Trickbot, and Egregor has followed suit, using commodity malware\r\nsuch as Qakbot, IcedID and Ursnif for initial access. Ryuk ransomware also leveraged both Trickbot and\r\nBazaLoader in a similar fashion to gain initial access to a victim system.\r\nAfter initial infection, scripts are used to modify victim firewalls and enable Remote Desktop Protocol (RDP).\r\nCobalt Strike is used to conduct network reconnaissance, move laterally across the network, exfiltrate data and\r\nprepare for execution.\r\nDuring our analysis, we observed a ZIP file containing a PowerShell script (Figure 1) that attempts to uninstall a\r\nMcAfee endpoint agent. It then uses BITS to download the Egregor DLL from a malicious server and execute the\r\npayload using Rundll32.\r\nFigure 1.PowerShell script used to download Egregor ransomware.\r\nEgregor uses multiple anti-analysis and evasion techniques, such as disabling a system’s antivirus software and\r\nheavily obfuscating the payload. Also, the payload can only be executed with a key using the expected command-https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/\r\nPage 1 of 4\n\nline argument, in this case “-passegregor10”. When run on the victim’s system, Egregor changes the files’\r\nextensions to a random set of characters. When the encryption of files is complete, the ransomware creates the\r\nransom note file “RECOVER-FILES.txt” in all folders that contain encrypted files.\r\nFigure 2. Egregor’s “Hall of Shame.”\r\nThe ransom note provides instructions with a three-day deadline to pay the ransom. If no contact is made within\r\nthat timeframe, the victim risks exposure of all exfiltrated data on the Egregor “Hall of Shame” (Figure 2). Visible\r\non the Hall of Shame is a visitor number and a progress percentage apparently referring to uploading data. We\r\nsuspect that these numbers are used to aid the threat actors’ ransom negotiations.\r\nMore information on ransomware can be found in the 2021 Unit 42 Ransomware Threat Report.\r\nCourses of Action\r\nThis section documents relevant tactics, techniques and procedures (TTPs) used with Egregor and maps them\r\ndirectly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their\r\ndevices are configured correctly.\r\nProduct /\r\nService\r\nCourse of Action\r\nInitial Access, Execution, Privilege Escalation, Defense Evasion\r\nThe below courses of action mitigate the following techniques:\r\nSpearphishing Attachment [T1566.001], Valid Accounts [T1078], PowerShell [T1059.001], DLL Side-Loading [T1574.002], Process Injection [T1055], Obfuscated Files or Information [T1027], Rundll32\r\n[T1218.011]\r\nNGFW Set up File Blocking\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nhttps://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/\r\nPage 2 of 4\n\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure remote access capabilities for the User-ID service account are forbidden\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance Protection\r\nsettings enabled, tuned and set to appropriate actions\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized\r\nEnsure forwarding is enabled for all applications and file types in WildFire file blocking\r\nprofiles\r\nEnsure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled\r\nEnsure all WildFire session information settings are enabled\r\nEnsure alerts are enabled for malicious files detected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to download and install updates every minute\r\nCortex XDR\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2\r\nDeploy XSOAR Playbook - Endpoint Malware Investigation\r\nDiscovery\r\nThe below courses of action mitigate the following techniques:\r\nAccount Discovery [T1087], Domain Trust Discovery [T1482], File and Directory Discovery [T1083]\r\nNGFW\r\nEnsure application security policies exist when allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nCortex XDR Configure Behavioral Threat Protection under the Malware Security Profile\r\nImpact\r\nhttps://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/\r\nPage 3 of 4\n\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486]\r\nCortex XSOAR Deploy XSOAR Playbook - Ransomware Manual for incident response.\r\nTable 1. Courses of Action for Egregor ransomware.\r\n†These capabilities are part of the NGFW security subscriptions service.\r\nConclusion\r\nIn the short period of its observed activities, Egregor ransomware has compromised industries globally, including\r\nthose within the U.S, Europe, Asia Pacific and Latin America. Organizations should be aware of and monitor the\r\nuse of commodity malware, such as Qakbot, IcedID and Ursnif, that could end up delivering Egregor ransomware\r\nas a second-stage payload. Like Maze and other current variants, Egregor ransomware affiliates use double\r\nextortion. They host an extortion website called the “Hall of Shame” site to create additional pressure and shame\r\ntheir victims into paying the ransom.\r\nWith the fall of Maze ransomware and the rise of Egregor, we suspect the group behind this ransomware will\r\nremain active in the following months and will continue their efforts to target high-profile organizations.\r\nIndicators associated with this Threat Assessment are available on GitHub, have been published to the Unit 42\r\nTAXII feed and are viewable via the ATOM Viewer.\r\nIn addition to the above courses of action, AutoFocus customers can review additional activity by using the tag\r\nEgregor.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/\r\nhttps://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/"
	],
	"report_names": [
		"egregor-ransomware-courses-of-action"
	],
	"threat_actors": [
		{
			"id": "e9f85280-337c-4321-b872-0919f8ef64a6",
			"created_at": "2022-10-25T16:07:24.261761Z",
			"updated_at": "2026-04-10T02:00:04.914455Z",
			"deleted_at": null,
			"main_name": "TA2101",
			"aliases": [
				"Gold Village",
				"Maze Team",
				"TA2101",
				"Twisted Spider"
			],
			"source_name": "ETDA:TA2101",
			"tools": [
				"7-Zip",
				"Agentemis",
				"BokBot",
				"Buran",
				"ChaCha",
				"Cobalt Strike",
				"CobaltStrike",
				"Egregor",
				"IceID",
				"IcedID",
				"Mimikatz",
				"PsExec",
				"SharpHound",
				"VegaLocker",
				"WinSCP",
				"cobeacon",
				"nmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8",
			"created_at": "2023-01-06T13:46:39.071873Z",
			"updated_at": "2026-04-10T02:00:03.203749Z",
			"deleted_at": null,
			"main_name": "TA2101",
			"aliases": [
				"GOLD VILLAGE",
				"Storm-0216",
				"DEV-0216",
				"UNC2198",
				"TUNNEL SPIDER",
				"Maze Team",
				"TWISTED SPIDER"
			],
			"source_name": "MISPGALAXY:TA2101",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439054,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/feb9b3cc0db88edbd59b01a8f1dd152ad6425b53.pdf",
		"text": "https://archive.orkl.eu/feb9b3cc0db88edbd59b01a8f1dd152ad6425b53.txt",
		"img": "https://archive.orkl.eu/feb9b3cc0db88edbd59b01a8f1dd152ad6425b53.jpg"
	}
}