Egregor Ransomware Exits the Maze

A new Ransomware-as a-Service (RaaS) named Egregor emerged in September 2020 and has already claimed high profile victims.

After encrypting and exfiltrating their target’s data, Egregor also threatens to publicly release the data unless a ransom is paid within three days.

Researchers at Malwarebytes believe Egregor has benefited from the “press release” detailing the shutting down of the Maze ransomware infrastructure by its operators. It appears that many of the customers (aka “affiliates”) of the Maze RaaS offering have moved over to Egregor.

What Is It?

Like many current ransomware variants, Egregor uses the dual threat of naming and shaming victims and releasing stolen data to increase pressure on a victim to pay. Researchers at Appgate discovered the “Egregor News” dark web site, containing a victim “hall of shame” and the site is also where the victim’s stolen data would leak from. The current victim count appears to be low. Named victims include logistics firm GEFCO and bookseller Barnes & Noble.

Egregor’s ransom note provides the three-day deadline to pay the ransom and states that failure to pay will result in the release of stolen data and publicity to ensure the victim’s “partners and clients” are made aware of the attack. The note also states that once the ransom is paid, the victim will get full decryption of their data, a complete listing of all files downloaded, confirmation the downloaded data has been deleted from Egregor’s servers, and most interestingly of all, offers recommendations for securing their network perimeter against further cyberattacks.

Egregor incorporates techniques that make sample analysis more difficult, such as obfuscated code blocks and custom-packed payloads. Execution requires a parameter being passed to the malware to decrypt the Egregor payload. This feature thwarts both human-based malware analysis and automated solutions (such as sandboxes.)

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. Specifics relating to Egregor’s initial attack vectors aren’t currently known, however, the most common attack vector for most ransomware remains social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

Five publicly available samples of Egregor ransomware were tested and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected 57 months prior to their release.

Team member
Author Name
Business Title
With nearly 20 years of experience in the security industry, Travis Rosiek is a highly accomplished cyber defense professional having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity across product development, quality assurance, technical marketing, professional services and sales engineering. Prior to his role at BluVector, Rosiek held several leadership roles including CTO at Tychon and Federal CTO at FireEye as well as senior roles at CloudHASH Security, McAfee and Defense Information Systems Agency (DISA).

All Threat Reports