Egregor Ransomware Vying to Become the Top Ransomware Threat

The Maze ransomware gang may have shut down its operation, but there is now a new ransomware variant that is vying to take its place as one of the biggest ransomware threats. Egregor ransomware first appeared in September 2020, claiming 15 victims in the month, followed by attacks on the US bookseller, Barnes & Noble, and the French and German video game developers, Ubisoft and Crytek. Since then, the number of attacks using Egregor ransomware has increased sharply.

Digital Shadows reports that there was a 240% increase in the number of companies successfully attacked in October and there have been a further 21 victims of Egregor ransomware attacks up to November 17. The group appears to favor attacks on companies in the industrial goods and service sector, which account for 38% of attacks, and 8 out of 10 victims to date have been based in the United States. As of November 17, 2020, 71 victims have been named by the group across 19 industry verticals.

As with Maze and many other human-operated ransomware groups, sensitive data is stolen from victims prior to file encryption and threats are issued to release the data publicly if the ransom is not paid.

Egregor ransomware uses multiple methods to prevent analysis, such as code obfuscation and packed payloads and the ransomware leverages Windows APIs to encrypt the payload data. “When the correct command-line argument is presented, the malware executes by injecting into iexplore.exe process, encrypting all text files and documents, and enclosing a ransom note within each folder that has an encrypted file. This process includes files on remote machines and servers through checks on Logmein event logs,” explained Digital Shadows.

Victims are given three days to make contact, after which parts of the stolen data are uploaded to the ransomware operators’ data leak site. The group has made good on its promise to release data if no contact is made or the ransom is not paid, having already released around 200MB of data stolen from Ubisoft and 400MB of data related to new games about to be released by Crytek.

The ransomware is still fairly new, so it is unclear how they are managing to infiltrate company networks, although there is some evidence that phishing attacks and brute force tactics are being used. The operators of the QBot (Quakbot) Trojan have also switched from delivering Prolock to Egregor as a secondary payload.

The increase in Egregor activity has coincided with the shutting down of the Maze operation. While there are similarities between the two groups, it is unclear whether Egregor is the new ransomware variant being used by the former Maze operators, but it does appear that affiliates who were distributing Maze have switched to Egregor.

Protecting against attacks where the attack vectors are not well understood is difficult, but adopting cybersecurity best practices such as patching promptly, implementing multifactor authentication, and using a spam filtering solution and firewalls will make it harder for attacks to succeed. Regular backups should also be performed, with backups stored on non-networked devices to ensure recovery is possible without paying the ransom.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of