Egregor

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notable instance in October 2020, the Egregor ransomware gang targeted game developer Crytek and leaked files allegedly stolen from Ubisoft. Various tools like MegaSync and Rclone have been observed in use during Egregor incidents. The initial access vector for Egregor has often been Qakbot, a trojan malware that has served various ransomware gangs, including Conti, ProLock, REvil, RansomExx, MegaCortex, and most recently, Black Basta. In a 2020 intrusion, threat actors deployed Egregor several months after GOLD MELODY gained access to the environment. Throughout 2020 and 2021, attacks were observed leading to the deployment of Egregor and other types of ransomware such as MountLocker. However, in February 2021, an undisclosed number of Egregor affiliates were arrested, causing disruption in their operations. Despite this setback, the threat of Egregor remained significant. In March 2023, cybersecurity firm Mandiant published an analysis showing multiple instances where UNC961 intrusion activity had preceded the deployment of Maze and Egregor ransomware. To combat this threat, tools like the Egregor ransomware decryption tool have been developed and made available to help victims recover their data.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QbotUnspecified
3
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over time, it has evolved into an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The attack ch
ContiUnspecified
3
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
MegaCortexUnspecified
2
MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria
Black BastaUnspecified
2
Black Basta is a prolific malware, specifically a Ransomware-as-a-Service (RaaS) operator, originating from Russia. It is believed to be an offshoot of the notorious Conti ransomware group, which ceased operations just prior to Black Basta's emergence. The malware uses popular initial access techniq
REvilUnspecified
2
REvil, a Russia-based group, was a prominent player in the Ransomware as a Service (RaaS) model that gained traction through 2020. The group was notorious for its high-profile attacks on critical infrastructure entities in the US between 2019 and 2021. REvil's modus operandi involved hacking into vi
QakBotUnspecified
2
Qakbot is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. Qakbot is among several malware families buil
ProLockUnspecified
2
ProLock is a type of malware, specifically ransomware, that is designed to infiltrate computer systems, often unbeknownst to the user. It typically enters systems through suspicious downloads, emails, or websites. Once inside, ProLock can steal personal information, disrupt operations, and hold data
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
2
Alphv, also known as BlackCat, is a notorious threat actor that emerged in December 2021. The group has been responsible for numerous high-profile cyberattacks, including those against Clarion, a global manufacturer of audio and video equipment for cars; Morrison Community Hospital, from which they
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Egregor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Egregor: Sekhmet’s Cousin
MITRE
a year ago
Egregor Ransomware – A Deep Dive Into Its Activities and Techniques
MITRE
a year ago
Diavol - A New Ransomware Used By Wizard Spider? | Fortinet
Securityaffairs
a year ago
New QBot campaign delivered hijacking business correspondence
MITRE
a year ago
Cybereason vs. Conti Ransomware
CERT-EU
4 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
a year ago
Qbot - 2021 Threat Detection Report - Red Canary
CERT-EU
9 months ago
200+ Free Ransomware Decryption Tools You Need [2022 List]
Securityaffairs
5 months ago
Video game giant Ubisoft investigates reports of a data breach
MITRE
a year ago
The rise of QakBot
CERT-EU
a year ago
Emotet Returns from Hiatus, Trails QBot in Q1 Volume
CERT-EU
a year ago
Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security Consulting
Secureworks
a year ago
Ransomware Evolution
CERT-EU
a year ago
ICS/OT Cybersecurity 2022 TXOne Annual Report Insights
Quick Heal Technologies Ltd.
a year ago
Uncovering LockBit Black’s Attack Chain and Anti-forensic activity
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
CERT-EU
9 months ago
Qakbot botnet dismantled after infecting over 700,000 computers
CERT-EU
5 months ago
The law enforcement operations targeting cybercrime in 2023
MITRE
5 months ago
Threat Assessment: Black Basta Ransomware
InfoSecurity-magazine
9 months ago
Manufacturing Sector Reeling From Financial Costs of Ransomware