Egregor

Description

Egregor is a ransomware strain that appeared in September 2020, widely believed to be a rebrand or successor to the Maze ransomware operation, using similar infrastructure and tactics. It runs as a Ransomware-as-a-Service (RaaS), recruiting affiliates to deploy its payload in exchange for a percentage of ransom payments. Egregor employs a double-extortion model, encrypting files with ChaCha and RSA-2048 algorithms, while exfiltrating sensitive data to threaten public release. Victims receive ransom notes directing them to Tor-based portals for negotiation. The group has targeted organizations worldwide across sectors such as retail, transportation, manufacturing, and finance, with notable attacks on Barnes & Noble and Cencosud. Egregor's operations were disrupted in early 2021 through coordinated law enforcement action, leading to the arrest of suspected affiliates in Ukraine.

External Analysis
https://www.bleepingcomputer.com/news/security/egregor-ransomware-linked-to-maze-arrests-made-in-ukraine/
https://www.trendmicro.com/en_us/research/20/k/egregor-ransomware-emerges-as-maze-shuts-down-operations.html
https://www.zdnet.com/article/egregor-ransomware-gang-arrested-in-ukraine/
Urls
Screen
http://egregoranrmzapcv.onion/
http://egregornews.com
Screen
File servers
Screen
Chat servers
Screen
Admin servers
Screen