A new ransomware group called Egregor has caught the attention of the Federal Bureau of Investigation, prompting it to issue a warning last month. GRC World Forums explains more about what it is and how it is being used in “double-extortion” attempts.


A new player has entered the ransomware-as-a-service market and is beginning to make waves.

The Federal Bureau of Investigation last month put out an alert warning about this new type of ransomware, called Egregor, which is rapidly becoming popular among criminals.

What is Egregor ransomware?

Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide.

Egregor is believed to be a relative of another ransomware called Sekhmet that emerged in March, 2020.

The group’s ransomware attacks are characterized by their double-extortion tactics. The cybercrime group breaches sensitive data, encrypting it so that it cannot be accessed by the victim.

The ransomware leaves a ransom note on machines instructing the victim to communicate with the threat actors via an online chat. They even sometimes utilize the print function on victim machines to print the ransom notes out

If no ransom is paid, the criminals then publish a subset of the compromised data on the dark web as proof of the successful exfiltration and give the victim a deadline to pay a price to prevent further data being published.

Who has been attacked?

The group behind the Egregor ransomware claim to have compromised more than 150 victims worldwide. It has taken responsibility for several high-profile attacks around the world in recent weeks.

Barnes & Noble, the US bookseller, warned that it had been hacked in October and Egregor said it had stolen unencrypted financial and audit data.

The video game developers Ubisfot and Crytek have also been hit, with Egregor posting archives of unencrypted files on the dark web.

In December recruiter Randstad, one of the world’s largest recruitment agencies, suffered a data breach and blamed Egregor publicly.

A recent attack on Foxtons PLC, a large estate agency in the United Kingdom is also thought to have been the work of the group, although the company has not confirmed this. A reported 16,000 files were leaked, although Foxtons said the personal data was old, incomplete and unusable.

How does it operate?

According to the FBI, the tactics and techniques used in deploying Egregor vary due to a large number of actors involved. They may use phishing emails with malicious attachments to gain access to accounts or exploit Remote Desktop Protocol or Virtual Private Networks.

Egregor infection happens via a loader. Once they have gained access, criminals then install a remote desktop protocol and the malware then identifies and disables antivirus software.

Egregor ransomware affiliates use common pen testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and move laterally across a network, and tools like Rclone 7zip to exfiltrate data.

Egregor is considered to be operating as ransomware-as-a-service, meaning the developers of the ransomware sell or lease access to criminals to use.

How do you protect yourself against it?

The FBI has issued the following advice:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Use two-factor authentication and do not click on unsolicited attachments or links in emails. TLP: WHITE TLP: WHITE
  • Prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019- 1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108).
  • Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools.
  • Securely configure RDP by restricting access, using multi-factor authentication or strong passwords.