Naked Security Naked Security

Egregor ransomware criminals allegedly busted in Ukraine

More good news in the cybercrime law-and-order world, this time a bust of ransomware crooks.

According to a report from radio station France Inter, numerous cybercriminals connected to the Egregor ransomware gang have recently been arrested.

It’s not yet clear whether there are suspects in custody both in France and in Ukraine, but France Inter says [our translation] that:

This was a massive Franco-Ukrainian operation. Since Tuesday [last week], police in the two countries have been working together in an effort to dismantle a cybercrime group suspected of initiating hundreds of ransomware attacks dating back to September 2020.[…] Police arrested a number of hackers suspected of working with the Egregor cybercrime gang, providing hacking, logistical, and financial support.


Like many ransomware gangs these days, Egregor isn’t a small and self-contained hacking crew.

Egregor is an example of what’s become known as RaaS, short for ransomware-as-a-service, a name that’s ironically derived from industry terminology such as IaaS (infrastructure-as-a-service) and SaaS (software-as-a-service).

Ransomware-as-a-service typically means that the core technical operators – the criminals who code the ransomware and collect the money from victims – don’t need to deal directly with those victims.

Instead, the core criminals behind a RaaS operation provide a web portal through which “affiliates” can sign up to acquire malware samples, after which it’s up to the affiliates to carry out the “street work” of breaking into networks, spreading the ransomware and initiating the blackmail demands in which most ransomware attacks culminate.

The core criminals then collect the cryptocurrency paid in by victims and pay the affiliate behind each attack a percentage of the takings.

Each affiliate in a RaaS scheme typically gets 70% of the “revenue” from each attack they orchestrate, while the core of the gang keep 30% of the takings from every payment.

We can only guess that the crooks chose this cut because 30% is a long-established figure in the legitimate cloud world – one that users of services such as Apple Music or Google Play are already used to.


Egregor ransomware: Maze’s heir apparent

Cybercriminal double-play

Egregor, like many other contemporary ransomware strains, doesn’t rely only on scrambling your files and then blackmailing you into paying for the decryption key.

Affiliates are expected to steal a victim’s “trophy data”, for example by secretly uploading it to a cloud storage service, before unleashing the cryptographic coup de grâce of locking up data on the victim’s computers.

This stolen data is used as a second, perhaps even scarier, basis for extortion.

The victim is told not only that they will get the decryption key if they pay up, and therefore be able to get their business moving again, but also that their stolen data will be deleted and not shared with the world at large.

Given that the data stolen by ransomware attackers often includes company secrets and personal data about customers, the crooks are holding a data breach disclosure sword, as well as a cryptographic business blockade, over their victims’ heads.

Egregor, along with many other ransomware gangs, even runs its own publicity site on the dark web, where companies that refuse to pay up get named and shamed, and samples of potentially embarrassing files get dumped for all to see.

The bust

Based on the France Inter report, it doesn’t sound as though the core players in the Egregor operation have been busted, but rather that a bunch of affiliates and “hired hands” have been identified and arrested.

Nevertheless, a report from ZDNet claims that the Egregor infrastructure – the underworld web services that keep gang affiliates in business – has been offline since last Friday, including both the data disclosure “name-and-shame” pages and the servers that control the operation of the malware itself.

Even if the core of the group is still going and ready to drag itself out of the ashes, this bust and associated operational disruption is therefore welcome news.

And to anyone who is part of, or who’s been toying with the idea of becoming part of, the ransomware-as-a-service scene, assuming that it’s a sneaky way of joining in undetectably at what feels like the fringes of cybercrime…

…just remember that you’re not as invisible or anonymous as you might think, and that, if you do get caught up in a dragnet like this, you can expect little sympathy from magistrates and judges these days when your time comes to get sentenced.

What to do?

  • Watch this video. In this excellent and well-informed talk, we give you comprehensive plain-English advice on how most ransomware attacks unfold, and how to defend against them every step of the way. (This video isn’t just for the healthcare sector, although it was inspired by an FBI alert last year that warned of cybercrooks who perceive hospitals as tempting targets given their current focus on the coronavirus pandemic.)


    Watch directly on YouTube if the video won’t play here.
    Click on the cog to speed up playback or to see subtitles.

    • Read our advice on how to stay protected from ransomware. Ransomware crooks use a range of techniques to get their first toehold inside your network, including spamming out phishing attacks, cracking or guessing passwords, and seeking insecure or forgotten remote access servers on your public network.
    • Don’t give up on user awareness. Treat your users with respect and help them learn how to be more vigilant, and you can turn them into extra eyes and ears for your core cybersecurity team.
    • Make it easy for users to report suspicious activity. Set up a central mailing list or contact number to act as a “cybersecurity 911”. Cybercriminals don’t phish one user and give up if they fail, so an early warning from someone can immediately help everyone.

Leave a Reply

Your email address will not be published. Required fields are marked *