Egregor

A joint operation between French and Ukrainian law enforcement has reportedly led to the arrests of several members of the Egregor ransomware operation in Ukraine.

As reported first by France Inter, on Tuesday, law enforcement made the arrests after French authorities could trace ransom payments to individuals located in Ukraine.

The arrested individuals are thought to be Egregor affiliates whose job was to hack into corporate networks and deploy the ransomware. France Inter also reports some individuals provided logistical and financial support.

Over this past year, Egregor has attacked numerous French organizations, including UbisoftOuest France, and, more recently Gefko.

The operation was reported launched through an investigation opened last fall by the Tribunal de grande instance de Paris after receiving complaints about the ransomware gang.

At this time, Egregor's Tor websites are offline, including the payment site and the operation's data leak site. With the Tor payment site inaccessible, victims are unable to contact the ransomware gang, pay a ransom, or download decryptors for previously paid ransoms.

It is not known if the problems with the ransomware gang's infrastructure are related to the law enforcement operation.

BleepingComputer.com has contacted French law enforcement but has not heard back.

Rise and fall of Egregor

Egregor operates as a ransomware-as-a-service (RaaS) where affiliates partner with the ransomware developers to conduct attacks and split the ransom payments.

In partnerships like this, the ransomware developers are responsible for developing the malware and running the payment site. At the same time, the affiliates are responsible for hacking into victims' networks and deploying the ransomware.

As part of this arrangement, developers earn between 20-30% of a ransom payment, while affiliates make the other 70-80%.

Egregor launched in the middle of September, just as one of the largest groups known as Maze began shutting down its operation.

At the time, threat actors told BleepingComputer that Maze affiliates moved to the Egregor RaaS, allowing the new ransomware operation to launch with experienced and skilled hackers.

In November, the ransomware gang partnered with the Qbot malware to gain access to victims' networks, increasing the volume of attacks even further.

Due to Egregor growing so quickly in a relatively short period, victims had to wait in a queue to negotiate a ransomware payment.

Victim told to wait in queue for negotiation
Victim told to wait in queue for negotiation

In early December, Egregor suddenly started slowing down with far fewer attacks conducted by the operation. You can see this dramatic decrease beginning on December 9th, 2020, in the graph below of Egregor submissions to ID Ransomware.

ID-Ransomware submission stats showing huge decline
ID-Ransomware submission stats showing a huge decline

Last month, Bill Siegel, CEO of ransom negotiation firm Coveware, told BleepingComputer that they too had seen a decline in Egregor attacks and told us affiliates might have moved to another RaaS.

In January, Egregor's data leak site went offline for approximately two weeks, and when it came online again, there were issues with the site. This unusual activity led other threat actors to become suspicious that Egregor was hacked or breached by aw enforcement.

Concerns about Egregor
Hackers concerned Egregor may have been 

Whether the decline of Egregor activity is law enforcement related or simply the ebbs and flows of ransomware operations is not currently known.

In a new report released last week by cybersecurity firm Kivu, researchers state that Egregor has amassed over 200 victims since it launched, and is comprised of 10-12 core members and 20-25 semi-exclusively vetted members.

Some of the well-known companies that have been attacked by Egregor include Barnes and Noble, KmartCencosudRandstad, Vancouver's TransLink metro system, and Crytek. 

Thx to pancak3 for the tip!

Update 2/15/21: Added that Egregor's Tor infrastructure is down.

Related Articles:

LockBit ransomware returns to attacks with new encryptors, servers

LockBit ransomware secretly building next-gen encryptor before takedown

Knight ransomware source code for sale after leak site shuts down

Alpha ransomware linked to NetWalker operation dismantled in 2021

Ransomware payments reached record $1.1 billion in 2023