Egregor

Malware updated a month ago (2024-10-15T10:02:33.349Z)
Download STIX
Preview STIX
Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also publicly shaming them by leaking sensitive information. Egregor has been implicated in numerous high-profile attacks, including breaches at Ubisoft and Crytek in 2020, where it was deployed to steal and leak game source code. The Egregor ransomware gained access to systems through various methods, often leveraging other malware like Qakbot as an initial infection vector. This Trojan has been used by multiple ransomware groups, including Conti, ProLock, REvil, RansomExx, MegaCortex, and most recently, Black Basta. In a 2020 intrusion, threat actors deployed Egregor several months after GOLD MELODY obtained access to the environment. Tools like MegaSync and Rclone have also been observed in use in Egregor incidents, aiding in the ransomware's operations. Despite its widespread activity, efforts to combat Egregor have seen some success. A number of Egregor affiliates were arrested in February 2021, causing disruption to the group's operations. Furthermore, decryption tools for Egregor, along with other ransomwares like Maze and Sekhmet, have been developed and are available online, offering victims a potential means of recovering their encrypted data without paying the ransom. However, the ongoing prevalence of Egregor underscores the importance of robust cybersecurity measures to prevent initial access and infection.
Description last updated: 2024-10-15T09:25:55.952Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Qbot Malware is associated with Egregor. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
3
The Conti Malware is associated with Egregor. Conti is a type of malware, specifically ransomware, that was designed to infiltrate computer systems, disrupt operations, and potentially hold data hostage for ransom. It has been linked to various ransomware groups such as Quantum, MountLocker, and the notorious Conti ransomware gang. The softwareUnspecified
3
The MegaCortex Malware is associated with Egregor. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
2
The Black Basta Malware is associated with Egregor. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The REvil Malware is associated with Egregor. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
The QakBot Malware is associated with Egregor. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
2
The ProLock Malware is associated with Egregor. ProLock is a type of malware, specifically ransomware, that is designed to infiltrate computer systems, often unbeknownst to the user. It typically enters systems through suspicious downloads, emails, or websites. Once inside, ProLock can steal personal information, disrupt operations, and hold dataUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Egregor. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
2
Source Document References
Information about the Egregor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
10 months ago
CERT-EU
a year ago
Securityaffairs
a year ago
MITRE
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago