SYMBOLCOMMON_NAMEaka. SYNONYMS
win.egregor (Back to overview)

Egregor


According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders.

References
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-09Bleeping ComputerLawrence Abrams
@online{abrams:20220209:ransomware:e36973b, author = {Lawrence Abrams}, title = {{Ransomware dev releases Egregor, Maze master decryption keys}}, date = {2022-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/}, language = {English}, urldate = {2022-02-10} } Ransomware dev releases Egregor, Maze master decryption keys
Egregor Maze Sekhmet
2022-02-09Security AffairsPierluigi Paganini
@online{paganini:20220209:master:b0b64b8, author = {Pierluigi Paganini}, title = {{Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online}}, date = {2022-02-09}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html}, language = {English}, urldate = {2022-02-10} } Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2021-11-03CERT-FRANSSI
@online{anssi:20211103:identification:3143cbb, author = {ANSSI}, title = {{Identification of a new cybercriminal group: Lockean}}, date = {2021-11-03}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/}, language = {English}, urldate = {2021-11-03} } Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil
2021-10-26ANSSI
@techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-10-22HUNT & HACKETTKrijn de Mik
@online{mik:20211022:advanced:e22d6f6, author = {Krijn de Mik}, title = {{Advanced IP Scanner: the preferred scanner in the A(P)T toolbox}}, date = {2021-10-22}, organization = {HUNT & HACKETT}, url = {https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox}, language = {English}, urldate = {2021-11-02} } Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-10Bleeping ComputerSergiu Gatlan
@online{gatlan:20210810:crytek:59f98bc, author = {Sergiu Gatlan}, title = {{Crytek confirms Egregor ransomware attack, customer data theft}}, date = {2021-08-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/}, language = {English}, urldate = {2021-08-11} } Crytek confirms Egregor ransomware attack, customer data theft
Egregor Maze
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-04CrowdStrikeFalcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
@online{team:20210804:prophet:e6e6a99, author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR}, title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}}, date = {2021-08-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/}, language = {English}, urldate = {2021-09-02} } PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker
2021-07-27Bleeping ComputerLawrence Abrams
@online{abrams:20210727:lockbit:095b8d6, author = {Lawrence Abrams}, title = {{LockBit ransomware now encrypts Windows domains using group policies}}, date = {2021-07-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/}, language = {English}, urldate = {2021-07-29} } LockBit ransomware now encrypts Windows domains using group policies
Egregor LockBit
2021-07-21IBMChris Caridi, Allison Wikoff
@online{caridi:20210721:this:17b999a, author = {Chris Caridi and Allison Wikoff}, title = {{This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered}}, date = {2021-07-21}, organization = {IBM}, url = {https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/}, language = {English}, urldate = {2021-07-22} } This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered
Egregor
2021-07-09The RecordCatalin Cimpanu
@online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-07-01DomainToolsChad Anderson
@online{anderson:20210701:most:39f64b8, author = {Chad Anderson}, title = {{The Most Prolific Ransomware Families: A Defenders Guide}}, date = {2021-07-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide}, language = {English}, urldate = {2021-07-11} } The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-03-26Trend MicroTrend Micro
@online{micro:20210326:alleged:ce2115c, author = {Trend Micro}, title = {{Alleged Members of Egregor Ransomware Cartel Arrested}}, date = {2021-03-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html}, language = {English}, urldate = {2021-04-28} } Alleged Members of Egregor Ransomware Cartel Arrested
Egregor QakBot
2021-03-24CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20210324:quarterly:4707c30, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Winter 2020-21}}, date = {2021-03-24}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html}, language = {English}, urldate = {2021-03-25} } Quarterly Report: Incident Response trends from Winter 2020-21
Egregor REvil WastedLocker
2021-03-16The RecordCatalin Cimpanu
@online{cimpanu:20210316:frances:5c4b6c2, author = {Catalin Cimpanu}, title = {{France’s lead cybercrime investigator on the Egregor arrests, cybercrime}}, date = {2021-03-16}, organization = {The Record}, url = {https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/}, language = {English}, urldate = {2021-03-22} } France’s lead cybercrime investigator on the Egregor arrests, cybercrime
Egregor
2021-03-02CERT-FRCERT-FR
@online{certfr:20210302:egregor:f0da4ec, author = {CERT-FR}, title = {{The Egregor Ransomware}}, date = {2021-03-02}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/}, language = {English}, urldate = {2021-06-29} } The Egregor Ransomware
Egregor Maze Sekhmet
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17Security Service of UkraineSecurity Service of Ukraine
@online{ukraine:20210217:sbu:053f202, author = {Security Service of Ukraine}, title = {{SBU blocks activity of transnational hacking group}}, date = {2021-02-17}, organization = {Security Service of Ukraine}, url = {https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia}, language = {English}, urldate = {2021-02-20} } SBU blocks activity of transnational hacking group
Egregor
2021-02-17Intel 471Intel 471
@online{471:20210217:egregor:6194a4b, author = {Intel 471}, title = {{Egregor operation takes huge hit after police raids}}, date = {2021-02-17}, organization = {Intel 471}, url = {https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware}, language = {English}, urldate = {2021-02-20} } Egregor operation takes huge hit after police raids
Egregor
2021-02-15EmsisoftEmsiSoft Malware Lab
@online{lab:20210215:ransomware:ca4ee32, author = {EmsiSoft Malware Lab}, title = {{Ransomware Profile: Egregor}}, date = {2021-02-15}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/}, language = {English}, urldate = {2021-02-20} } Ransomware Profile: Egregor
Egregor
2021-02-11MorphisecMorphisec
@techreport{morphisec:20210211:analysis:97c0b96, author = {Morphisec}, title = {{An Analysis of the Egregor Ransomware}}, date = {2021-02-11}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf}, language = {English}, urldate = {2021-02-18} } An Analysis of the Egregor Ransomware
Egregor
2021-02-04ChainanalysisChainalysis Team
@online{team:20210204:blockchain:4e63b2f, author = {Chainalysis Team}, title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}}, date = {2021-02-04}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer}, language = {English}, urldate = {2021-02-06} } Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-18AreteAdam Brown, Harold Rodriguez
@techreport{brown:20210118:egregor:a2ab774, author = {Adam Brown and Harold Rodriguez}, title = {{Egregor: The Ghost of Soviet Bears Past Haunts On}}, date = {2021-01-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf}, language = {English}, urldate = {2021-02-02} } Egregor: The Ghost of Soviet Bears Past Haunts On
Egregor
2021-01-06FBIFBI
@techreport{fbi:20210106:pin:66d55ca, author = {FBI}, title = {{PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data}}, date = {2021-01-06}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf}, language = {English}, urldate = {2021-01-11} } PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
Egregor QakBot
2021-01-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20210104:translink:628f0c4, author = {Sergiu Gatlan}, title = {{TransLink confirms ransomware data theft, still restoring systems}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/}, language = {English}, urldate = {2021-01-05} } TransLink confirms ransomware data theft, still restoring systems
Egregor
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-15HornetsecurityHornetsecurity Security Lab
@online{lab:20201215:qakbot:9397167, author = {Hornetsecurity Security Lab}, title = {{QakBot reducing its on disk artifacts}}, date = {2020-12-15}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/}, language = {English}, urldate = {2020-12-16} } QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot
2020-12-15MalwarebytesPieter Arntz
@online{arntz:20201215:threat:8286d80, author = {Pieter Arntz}, title = {{Threat profile: Egregor ransomware is making a name for itself}}, date = {2020-12-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/}, language = {English}, urldate = {2021-01-11} } Threat profile: Egregor ransomware is making a name for itself
Egregor
2020-12-14Trend MicroTrend Micro Research
@online{research:20201214:egregor:12d845c, author = {Trend Micro Research}, title = {{Egregor Ransomware Launches String of High-Profile Attacks to End 2020}}, date = {2020-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html}, language = {English}, urldate = {2020-12-16} } Egregor Ransomware Launches String of High-Profile Attacks to End 2020
Egregor
2020-12-08Palo Alto Networks Unit 42Doel Santos, Brittany Barbehenn, Robert Falcone
@online{santos:20201208:threat:033a653, author = {Doel Santos and Brittany Barbehenn and Robert Falcone}, title = {{Threat Assessment: Egregor Ransomware}}, date = {2020-12-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/}, language = {English}, urldate = {2020-12-09} } Threat Assessment: Egregor Ransomware
Egregor
2020-12-08SophosSean Gallagher, Anand Aijan, Gabor Szappanos, Syed Shahram, Bill Kearney, Mark Loman, Peter Mackenzie, Sergio Bestulic
@online{gallagher:20201208:egregor:fe48cfd, author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic}, title = {{Egregor ransomware: Maze’s heir apparent}}, date = {2020-12-08}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/}, language = {English}, urldate = {2020-12-08} } Egregor ransomware: Maze’s heir apparent
Egregor Maze
2020-12-07Minerva LabsTom Roter
@online{roter:20201207:egregor:2d3dced, author = {Tom Roter}, title = {{Egregor Ransomware - An In-Depth Analysis}}, date = {2020-12-07}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis}, language = {English}, urldate = {2020-12-09} } Egregor Ransomware - An In-Depth Analysis
Egregor Maze Sekhmet
2020-12-04Bleeping ComputerLawrence Abrams
@online{abrams:20201204:metro:3350ee7, author = {Lawrence Abrams}, title = {{Metro Vancouver's transit system hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } Metro Vancouver's transit system hit by Egregor ransomware
Egregor
2020-12-04Bleeping ComputerLawrence Abrams
@online{abrams:20201204:largest:43455f7, author = {Lawrence Abrams}, title = {{Largest global staffing agency Randstad hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } Largest global staffing agency Randstad hit by Egregor ransomware
Egregor
2020-12-03Bleeping ComputerLawrence Abrams
@online{abrams:20201203:kmart:0795c86, author = {Lawrence Abrams}, title = {{Kmart nationwide retailer suffers a ransomware attack}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/}, language = {English}, urldate = {2020-12-08} } Kmart nationwide retailer suffers a ransomware attack
Egregor
2020-12-03Recorded FutureInsikt Group®
@techreport{group:20201203:egregor:a56f637, author = {Insikt Group®}, title = {{Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot}}, date = {2020-12-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf}, language = {English}, urldate = {2020-12-08} } Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot
Egregor QakBot
2020-12-02Red Canarytwitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01Group-IBGroup-IB, Oleg Skulkin, Semyon Rogachev, Roman Rezvukhin
@techreport{groupib:20201201:egregor:37e5698, author = {Group-IB and Oleg Skulkin and Semyon Rogachev and Roman Rezvukhin}, title = {{Egregor ransomware: The legacy of Maze lives on}}, date = {2020-12-01}, institution = {Group-IB}, url = {https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf}, language = {English}, urldate = {2021-01-21} } Egregor ransomware: The legacy of Maze lives on
Egregor QakBot
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-25SentinelOneJim Walter
@online{walter:20201125:egregor:5727f7a, author = {Jim Walter}, title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}}, date = {2020-11-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/}, language = {English}, urldate = {2020-12-08} } Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@online{skulkin:20201120:locking:cdb06cf, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{The Locking Egregor}}, date = {2020-11-20}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/egregor}, language = {English}, urldate = {2020-11-23} } The Locking Egregor
Egregor QakBot
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-14Bleeping ComputerLawrence Abrams
@online{abrams:20201114:retail:f5192ae, author = {Lawrence Abrams}, title = {{Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted}}, date = {2020-11-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/}, language = {English}, urldate = {2020-11-19} } Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted
Egregor
2020-11-12IntrinsecJean Bichet
@online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-10-29Security BoulevardTomas Meskauskas
@online{meskauskas:20201029:egregor:786d487, author = {Tomas Meskauskas}, title = {{Egregor: Sekhmet’s Cousin}}, date = {2020-10-29}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/}, language = {English}, urldate = {2020-10-29} } Egregor: Sekhmet’s Cousin
Egregor
2020-10-29Bleeping ComputerLawrence Abrams
@online{abrams:20201029:maze:f90b399, author = {Lawrence Abrams}, title = {{Maze ransomware is shutting down its cybercrime operation}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/}, language = {English}, urldate = {2020-11-02} } Maze ransomware is shutting down its cybercrime operation
Egregor Maze
2020-10-20Bleeping ComputerLawrence Abrams
@online{abrams:20201020:barnes:f210b39, author = {Lawrence Abrams}, title = {{Barnes & Noble hit by Egregor ransomware, strange data leaked}}, date = {2020-10-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/}, language = {English}, urldate = {2020-10-23} } Barnes & Noble hit by Egregor ransomware, strange data leaked
Egregor
2020-10-15ZDNetCatalin Cimpanu
@online{cimpanu:20201015:ubisoft:51fe666, author = {Catalin Cimpanu}, title = {{Ubisoft, Crytek data posted on ransomware gang's site}}, date = {2020-10-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/}, language = {English}, urldate = {2020-10-21} } Ubisoft, Crytek data posted on ransomware gang's site
Egregor
2020-10-02AppGateAppGate Labs
@online{labs:20201002:appgate:f0b069c, author = {AppGate Labs}, title = {{Appgate Labs Analyzes New Family Of Ransomware - Egregor}}, date = {2020-10-02}, organization = {AppGate}, url = {https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor}, language = {English}, urldate = {2020-10-05} } Appgate Labs Analyzes New Family Of Ransomware - Egregor
Egregor
2020-09-18ID RansomwareAndrew Ivanov
@online{ivanov:20200918:egregor:c790f36, author = {Andrew Ivanov}, title = {{Egregor Ransomware}}, date = {2020-09-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html}, language = {Russian}, urldate = {2020-11-04} } Egregor Ransomware
Egregor

There is no Yara-Signature yet.