Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Suspected Egregor Ransomware Affiliates Busted in Ukraine

Bitcoin Tracking Identified Members of Egregor Operation, French Media Reports
Suspected Egregor Ransomware Affiliates Busted in Ukraine
Egregor's data-leaking site remains offline. (Source: Malwarebytes)

Individuals suspected of being affiliates of the Egregor ransomware-as-a-service operation have reportedly been arrested in Ukraine.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The arrests were announced on Friday by radio station France Inter, which said French police had launched an investigation last fall, spurred by attacks against domestic organizations, and had begun working with police in Ukraine to investigate.

France Inter reports that the arrests of the individuals - who provided "hacking, and logistical and financial support" for Egregor - are the result of an investigation being run by the anti-cybercrime division of the Central Directorate of the Judicial Police, part of France's national police force, working with police in Ukraine and with the EU's law enforcement agency Europol coordinating.

To identify the unnamed suspects, who have allegedly been tied to hundreds of attacks, investigators were able to "follow the money" by tracking the flow of bitcoins being handled by the suspects, France Inter reports.

A Europol spokeswoman said the agency is unable to comment on the ongoing investigation. The French and Ukrainian police forces didn't immediately respond to a request for comment.

Cybersecurity firm Recorded Future tells ZDNet that since at least Friday, Egregor's infrastructure appears to have gone dark.

Prevalent Ransomware Operation

Egregor first appeared in September 2020 and rapidly amassed numerous victims. Last month, the FBI warned that Egregor and its affiliates claimed to have compromised approximately 150 corporate networks in the U.S. and other countries. Some of the gang's ransom demands reached as high as $4 million, according to cybersecurity firm Group-IB.

Ransomware strains connected to attacks (Source: Digital Shadows)

Like many other ransomware gangs, Egregor demands victims pay it a ransom in bitcoins in exchange for a decryption tool, and it has a data-leak site where it can name and shame victims and post extracts of data that it may have stolen before leaving systems crypto-locked by malware. The gang may also demand a ransom in exchange for removing a victim's name from the site and for a promise that stolen data will be deleted.

Egregor has been tied to numerous high-profile attacks, including at least 25 inside France. Victims have included French video game giant Ubisoft, daily newspaper Ouest-France and vehicle logistics firm Gefco.

Count of known ransomware victims and their attackers, from November 2019 through December 2020 (Source: Flashpoint)

Other victims have included German video game maker Crytek, U.S. book-selling chain Barnes & Noble, photography giant Canon USA, Dutch human resources and staffing firm Randstad, and Vancouver TransLink, the eponymous Canadian city's public transportation agency.

Ransomware incident response firm Coveware reports that the majority of Egregor infections seen in the final quarter of 2020 began with a phishing attack. Beginning last November, some Egregor infections were also traced to Qbot, aka Qakbot, which began life as a banking Trojan. But as with Emotet and other banking Trojans, Qbot has been repurposed to also serve as a platform for installing other types of malware.

"Many ransomware campaigns, especially those connected with the botnets, such as Trickbot and Qakbot, are operated by multiple people. Most often they do not even know each other and are responsible for different tasks - from maintaining the infrastructure to deploying ransomware," says Oleg Skulkin, a senior digital forensics and incident response analyst at Group-IB. "We’ve found and described the connection between Egregor and Qakbot in November last year - the Trojan was used to gain initial access to the attacked networks. Recently, it was seen being distributed by the notorious Emotet, which was disrupted in a global operation involving the Ukrainian law enforcement agencies as well, which may be connected with the latest Egregor affiliates arrest."

Suspected Ties to Maze

Egregor may be an offshoot of the notorious Maze gang, which in November 2019 pioneered the practice of leaking stolen data to force victims to pay. Maze also distinguished itself by actively recruiting experts as it expanded to help the gang take down larger, more lucrative targets, according to ransomware incident response firm Coveware.

But Maze was unusual in that it also ran a ransomware-as-a-service operation, in which it supplied custom versions of its crypto-locking malware to affiliates. Every time the affiliate infected a victim and the victim paid a ransom, the affiliate shared the profits with Maze's operators. Threat intelligence firm Intel 471 says Maze found using affiliates to be a much easier and more reliable way to maximize profits than attempting to run attacks using only in-house personnel.

Experts have described similarities between the Maze and Egregor gangs, including in their technology, infrastructure and style of ransom notes. One way in which Egregor differs, however, is that the gang's malware can use network-connected printers to spit out ransom notes.

Egregor ransom note (Source: Digital Shadows)

Still, it remains unclear if Egregor might have been started up by former Maze operators or handed off to an entirely new crew. But it does appear that Egregor inherited a large number of Maze affiliates, which experts say was instrumental in helping the new ransomware operation hit the ground running, quickly infecting numerous victims after its debut last September.

Maze Members Allegedly Identified

Maze's members may have exited the scene because of increasing heat. Last November, for example, an apparent rival claimed to have identified eight of the organization's key members.

The self-proclaimed member of the Sodinokibi, aka REvil, ransomware-as-a-service operation gang alleged that two of those individuals were Maxim Yakubets and Konstantin Kozlovsky, and that Yakubets was working for the Russian government. Yakubets, aka "aqua," is a Ukraine-born Russian national who has been on the FBI's most-wanted list for some time.

A post to RaidForums - dated Nov. 13, 2020 - offers to share the identities of a ransomware-as-a-service operation's leadership - for a price.

Whoever was hawking the information about the supposed Maze members allegedly forwarded the details to law enforcement agencies, ZDNet reported.

Arrests May Deter Criminals

Security experts have celebrated the report that suspected individuals with ties to the Egregor operation have been busted.

Group-IB's Skulkin says one short-term impact may be Egregor affiliates deciding to search for new partners. "The arrests may push other affiliates, who remain at large, to switch to several other RaaS programs," he says. "Egregor developers, however, can reemerge under a different name for a new round of high-value cyber heists, by finding new people to keep their business running."

But the arrests may also have deterrence value. "This success may well have a broader impact as enforcement action undoubtedly serves as a deterrent," says Brett Callow, a threat analyst at security firm Emsisoft.

"For example, after NetWalker’s operation was disrupted, another group" - the Ziggy ransomware gang - "decided to cease operations, citing that as the reason and handed us their keys, enabling us to create a decryptor to help past victims."

Two gangs have recently exited the scene after first appearing only late last year. The first was Fonix, which earlier this month announced that it was ceasing operation after having targeted thousands of systems. A self-reported admin for the group said via Twitter that "we have come to the conclusion … we should use our abilities in positive ways and help others."

Shortly thereafter, the operator behind Ziggy ransomware announced that they were pulling the plug and releasing all the keys required to decrypt all 922 infections to date, Bleeping Computer reported.

The operator told the publication that they knew the Fonix gang and were based in the same "third-world country," and that the recent Emotet and Netwalker busts, as well as feelings of guilt, had driven them to shut down Ziggy.

Free decryptors for Fonix as well as Ziggy ransomware are now available via the public/private No More Ransom project.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.