Ransomware Profile: Egregor

Egregor is an aggressive strain of ransomware that targets large organizations. It has been extremely active since its discovery in September 2020, claiming hundreds of victims across multiple industries.

Egregor Submission Data - ID Ransomware

Egregor submissions courtesy of ID Ransomware.

The above chart shows the number of Egregor samples submitted to ID Ransomware, an online tool that allows users to identify which ransomware strain has encrypted their files and provides a free decryptor should one be available.

The submission data shows that Egregor claimed a large number of victims in a very short space of time and possibly amassed victims quicker than any other group. This surge of attacks was likely the result of former Maze affiliates bringing lists of already-compromised networks to the Egregor affiliate program.

Within a month, however, a significant drop in the rate of the attacks occurred. This decrease was likely due to the affiliates who crossed over from Maze quickly exhausting their lists of already-comprised networks and effectively running out of easy prospective targets.

What is Egregor?

Egregor is a sophisticated strain of ransomware that encrypts files using ChaCha and RSA encryption and uses advanced obfuscation techniques to thwart analysis efforts. “Egregor” is derived from the ancient Greek term for “wakeful,” an occult concept referring to the collective energy of a group of people working toward a common goal – an appropriate name for a ransomware group.

Like many other modern ransomware groups, Egregor’s operators exfiltrate data from victims and store it on their servers before the data is encrypted on the target’s machine. Egregor demands a swift response, giving victims just 72 hours to make contact with attackers.

In the event of non-payment, the stolen data is published on the attacker’s website, Egregor News, which can be accessed on both the clear web and dark web. One of the last known banner messages on the Egregor News website was the Christmas greeting: “Egregor Team wishes all clients happy holidays. Christmas gifts are waiting for you. Details in your personal chat!”

Egregor operates under the ransomware-as-a-service model, whereby affiliates receive a portion of ransom payments in exchange for dropping the malware onto victims’ networks. Egregor affiliates earn 70 percent of the ransom payments they generate, with the remaining 30 percent going to the Egregor group. It is believed that the Egregor affiliate program attracted many ex-Maze affiliates following the sudden retirement of the Maze ransomware gang in November 2020.

The Egregor-Sekhmet-Maze connection

Egregor, Sekhmet and Maze share almost exactly the same base code. Sekhmet, a now inactive strain of ransomware that was first detected in March 2020, is identical to Maze apart from one small tweak to the way it uses file markers. Egregor, in turn, is identical to Sekhmet, except for having a different file marker value and ransom note text.

While it’s not clear if the creators of Sekhmet and/or Maze are responsible for Egregor, the three variants clearly share significant similarities. The Sekhmet leak platform – which exposed just six victims in total – went offline at around the same as the launch of the Egregor News site.

The History of Egregor

Egregor was first observed in September 2020. It was an extremely active threat from the outset, claiming more than 130 victims in the first 10 weeks, including high-value targets in the industrial goods, retail and transportation sectors.

Suspected Egregor operators arrested 

In February 2021, alleged Egregor operators were arrested in Ukraine following a joint investigation by French and Ukrainian police, which was coordinated by Europol. Investigators were able to track down the unnamed suspects by following the flow of bitcoins being handled by the alleged operatorsAccording to France Inter, the arrested suspects provided hacking, logistical and financial support for the Egregor group. On February 17, 2021, the Ukrainian Security Service confirmed an undisclosed number of arrests in connection with the Egregor operation.

The group’s extortion site went offline around the time of the arrests, making it impossible for victims to pay a ransom or contact the ransomware group. It’s worth noting that the Egregor extortion site had been going offline intermittently for some time prior to the arrests, so it’s possible that the disruption is unrelated.

Egregor ransom note

After encrypting the target system, Egregor drops a ransom note titled “RECOVER-FILES.txt” in all infected directories. The ransom note is fairly vague and contains no specific payment instructions. Instead, it instructs victims to install the TOR browser, navigate to the operators’ website and open a live chat with the threat actors, who will then provide further instructions. The note states that stolen data will be published if no contact is made within three days.

The note claims that after receiving payment attackers will provide full decryption of all affected machines, a file listing of downloaded data, confirmation of the deletion of exfiltrated data and complete confidentiality. Audaciously, the note also states that operators will provide paying victims with recommendations for securing their networks to prevent future breaches.

Egregor is the only ransomware family known to print ransom notes via available printers on compromised networks.

Who does Egregor target?

Egregor targets large organizations. While the industrial goods and services sector was initially most heavily hit, enterprises across a wide range of verticals have since been impacted by Egregor.

Egregor primarily targets U.S.-based organizations, although a number of companies in South America, Africa, Asia, Europe and Oceania have also been infected.

Before encrypting data on a compromised machine, Egregor checks the Default Language ID of the system and user account. The ransomware does not execute if any of the following languages are detected: Uzbek, Romanian, Azerbaijani, Turkmen, Georgian, Kyrgyz, Ukrainian, Kazakh, Tatar, Russian, Tajik, Armenian, Belarusian, Romanian.

How does Egregor spread?

The information currently available suggests that the infection chain typically starts with a phishing email, which contains a malicious macro embedded in an attached document.

Upon execution, the macro downloads commodity malware such as Qakbot, IcedID and/or Ursnif, which are used to gain an initial toehold in the target environment. The operators of QakBot, a banking Trojan that is commonly used to drop malware onto infected networks, recently switched from dropping ProLock, another prominent ransomware strain, to dropping Egregor.

Later in the attack chain, operators use Cobalt Strike to gather information, escalate privileges, move laterally across the network and prepare the system for encryption. To exfiltrate data, operators typically use Rclone, an open-source command line program used to manage cloud storage. There have also been instances of operators using Cobalt Strike to create an RDP connection with other endpoints on the network and copying Egregor to them.

It is important to note that because Egregor is a ransomware-as-a-service operated by multiple affiliates, infection methods can vary. We have heard rumors of Egregor utilizing flaws in Microsoft Exchange, VBScript Engine and Adobe Flash Player, but these reports are still unsubstantiated.

Major Egregor attacks


In October 2020, Egregor captured the attention of the cybersecurity industry with a high-profile attack on video game developer Ubisoft. Threat actors initially released a few hundred megabytes of data relating to in-game assets, before later releasing 560GB of source code from Ubisoft’s latest action-adventure game Watch Dogs: Legion.

Barnes & Noble

In October 2020, Barnes & Noble was hit with Egregor. The incident forced the U.S. bookstore giant to shut down their network to stop the attack from spreading, resulting in Nook users being unable to access their eBook libraries. Threat actors claimed to have stolen financial and audit data during the attack, while email addresses, billing addresses, shipping addresses and purchase history were also exposed on the compromised systems.


In December 2020, Metro Vancouver transport agency TransLink faced significant disruption after falling victim to Egregor. The attack impacted phones, online services and payment systems, leaving commuters unable to pay for fares with credit cards or debit cards. During the incident, ransom notes were printed from TransLink printers as well as dropped digitally in infected directories.


In December 2020, Randstad, one of the largest recruitment agencies in the world, announced that their network had been breached by Egregor. Operators published a 32.7 MB archive of exfiltrated data, which they claimed was just 1 percent of the total data stolen during the attack. The leaked data contained a range of business documents, including financial reports, legal documents and accounting spreadsheets.

How to protect the network from Egregor and other ransomware

The following practices may help organizations reduce the risk of an Egregor incident.

How to remove Egregor and other ransomware

Egregor uses sophisticated encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.

Victims of Egregor should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next