Egregor

Malware updated 5 months ago (2024-05-04T20:48:32.145Z)
Download STIX
Preview STIX
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notable instance in October 2020, the Egregor ransomware gang targeted game developer Crytek and leaked files allegedly stolen from Ubisoft. Various tools like MegaSync and Rclone have been observed in use during Egregor incidents. The initial access vector for Egregor has often been Qakbot, a trojan malware that has served various ransomware gangs, including Conti, ProLock, REvil, RansomExx, MegaCortex, and most recently, Black Basta. In a 2020 intrusion, threat actors deployed Egregor several months after GOLD MELODY gained access to the environment. Throughout 2020 and 2021, attacks were observed leading to the deployment of Egregor and other types of ransomware such as MountLocker. However, in February 2021, an undisclosed number of Egregor affiliates were arrested, causing disruption in their operations. Despite this setback, the threat of Egregor remained significant. In March 2023, cybersecurity firm Mandiant published an analysis showing multiple instances where UNC961 intrusion activity had preceded the deployment of Maze and Egregor ransomware. To combat this threat, tools like the Egregor ransomware decryption tool have been developed and made available to help victims recover their data.
Description last updated: 2024-05-04T19:22:07.383Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Qbot Malware is associated with Egregor. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
3
The Conti Malware is associated with Egregor. Conti is a type of malware, specifically a ransomware, that infiltrates computer systems to exploit and damage them. It was commonly used in cyberattacks by ITG23, a cybercriminal group which also used other malware like Trickbot and BazarLoader. The Conti ransomware was known for its sophisticated Unspecified
3
The MegaCortex Malware is associated with Egregor. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
2
The Black Basta Malware is associated with Egregor. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vulUnspecified
2
The REvil Malware is associated with Egregor. REvil is a notorious malware, specifically ransomware, which infiltrates computer systems through suspicious downloads, emails, or websites. It then exploits and damages the compromised system, often stealing personal information, disrupting operations, or holding data hostage for ransom. As part ofUnspecified
2
The QakBot Malware is associated with Egregor. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includinUnspecified
2
The ProLock Malware is associated with Egregor. ProLock is a type of malware, specifically ransomware, that is designed to infiltrate computer systems, often unbeknownst to the user. It typically enters systems through suspicious downloads, emails, or websites. Once inside, ProLock can steal personal information, disrupt operations, and hold dataUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Egregor. AlphV, also known as BlackCat, is a notable threat actor that has been operational since November 2021. This group has pioneered the public leaks business model in the realm of ransomware attacks and has been associated with significant cybercrimes. It is particularly infamous for its attack on MorrUnspecified
2
Source Document References
Information about the Egregor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
10 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Securityaffairs
10 months ago
MITRE
10 months ago
CERT-EU
10 months ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago