Egregor
Description
Egregor is a ransomware strain that appeared in September 2020, widely believed to be a rebrand or successor to the Maze ransomware operation, using similar infrastructure and tactics. It runs as a Ransomware-as-a-Service (RaaS), recruiting affiliates to deploy its payload in exchange for a percentage of ransom payments. Egregor employs a double-extortion model, encrypting files with ChaCha and RSA-2048 algorithms, while exfiltrating sensitive data to threaten public release. Victims receive ransom notes directing them to Tor-based portals for negotiation. The group has targeted organizations worldwide across sectors such as retail, transportation, manufacturing, and finance, with notable attacks on Barnes & Noble and Cencosud. Egregor's operations were disrupted in early 2021 through coordinated law enforcement action, leading to the arrest of suspected affiliates in Ukraine.
External Analysis |
https://www.bleepingcomputer.com/news/security/egregor-ransomware-linked-to-maze-arrests-made-in-ukraine/ |
https://www.trendmicro.com/en_us/research/20/k/egregor-ransomware-emerges-as-maze-shuts-down-operations.html |
https://www.zdnet.com/article/egregor-ransomware-gang-arrested-in-ukraine/ |
Urls |
Screen |
http://egregoranrmzapcv.onion/ |
|
http://egregornews.com |
Screen |