Egregor Ransomware Operation Disrupted and Several Arrest Made

Several suspected members of the Egregor ransomware operation have been arrested in Ukraine, according to the news outlet France Inter. The arrests were made as part of a joint operation between law enforcement in France and Ukraine to disrupt the operation.

The suspects arrested in the operation are understood to be affiliates who signed up to hack corporate networks and deploy Egregor ransomware for a cut of the ransom payments that were generated, rather than individuals who operate the Egregor cartel.

Egregor is a ransomware-as-a-service (RaaS) operation where the cartel provides the ransomware and runs the affiliate program, and individuals are recruited to distribute the ransomware on behalf of the cartel. Affiliates are provided with between 70% and 80% of the ransom payments they generate, with 20%-30% of the payment taken by the cartel.

Egregor ransomware first emerged in September 2020 at a time when the Maze ransomware operation was being shut down. Many of the affiliates recruited to distribute the ransomware had previously distributed Maze ransomware and switched operations when the Maze gang shut down its operation. The gang is believed to have conducted more than 200 successful attacks in five months, with a report from Chainalysis indicating the gang generated between $40 and $50 million in ransom payments.

In the fall of 2020, law enforcement in France started to receive notifications from French companies that had been attacked with Egregor ransomware and an investigation was launched to bring the perpetrators to justice. Companies in France that were targeted included the video game developer Ubisoft, Ouest France, and Gefko. The gang has also conducted successful attacks on Kmart, Barnes & Noble, Crytek, and the TransLink metro system in Vancouver.

The Egregor operation was highly active throughout November, with between 5 and 15 attacks conducted daily. The high numbers of attacks often resulted in victims having to wait to negotiate with the gang and obtain the keys to decrypt their files. In December, the number of attacks started to fall and since then attacks have been occurring, but at a rate of around 2 or 3 per day.

The joint law enforcement investigation tracked down the infrastructure to Ukraine and individuals involved in the attacks were identified from an analysis of the blockchain record when victims paid their ransom payments in Bitcoin. It is unclear how and when the law enforcement operation started to identify affiliates, and whether the decline in attacks was linked to the law enforcement operation.

The arrests appear to have had a significant impact on the Egregor operation, with the command and control infrastructure and data leak site both taken offline since Friday, according to Recorded Future.

It is unclear whether the infrastructure was taken offline by the Egregor gang or by law enforcement. No placeholder has been placed on the site stating it has been seized by law enforcement, so the former seems more likely. At this stage, law enforcement authorities are yet to name the suspects, their alleged role in the operation, or how many individuals have been arrested.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of