Sunday, November 17, 2024
HomeCyber Security NewsOperators Behind Egregor Ransomware Arrested by Ukrainian, French Police

Operators Behind Egregor Ransomware Arrested by Ukrainian, French Police

Published on

French and Ukrainian law enforcement agencies have joined forces to arrest several members of the Egregor ransomware operation in Ukraine. The arrest was carried out early this week.

The regional daily Ouest France, the video game giant Ubisoft and the transporter Gefco were the victims of the arrested group.

Who Arrested?

Ransom payments to individuals located in Ukraine were traced by French authorities on Tuesday, reports French Inter.

- Advertisement - SIEM as a Service

The police officials of the two countries have been communicating with each other since then in an attempt to dismantle this group of cybercriminals.

The Egregor group is suspected of being at the origin of several hundred attacks through ransomware since September 2020. Ransomware is malicious software that infects your computer and blocks your data and demands a ransom for freeing up this data.

It has been reported that police officers from the Central Office for the Fight against Cybercrime of the Judicial Police participated in the arrest of several hackers, suspected of having been in contact with Egregor.

The arrested individuals are thought to be Egregor affiliates whose job was to hack into corporate networks and deploy the ransomware. A few of these individuals are also believed to have provided logistical and financial support. However, the number of people arrested is yet to be disclosed.

What did Egregor do?

Some of the well-known companies that have been attacked by Egregor include Ubisoft, Gefco, Barnes and Noble, Kmart, Cencosud, Randstad, Vancouver’s TransLink metro system, and Crytek. 

Egregor predominantly operates as a Ransomware-as-a-Service (RaaS) where affiliates partner with the ransomware developers to conduct attacks and split the ransom payments.

The hackers had used a classic but dreadfully effective method, starting with “ransomware”, malicious software that infiltrates mailboxes. 

The computer virus then not only paralyzes the company’s computer systems and connected production tools but also suck up strategic company data and then distribute it, in the event of non-payment of the ransom claimed.

Generally the ransomware developers are responsible for developing the malware and running the payment site and the affiliates have the responsibility of hacking into the victims’ networks and deploying the ransomware. The ransom is generally split in a 30:70 ratio between the developer and the affiliates.

Egregor launched in the middle of September, just as one of the largest groups known as Maze began shutting down its operation.

In November, the ransomware gang partnered with the Qbot malware to gain access to victims’ networks, increasing the volume of attacks even further.

Due to Egregor’s rapid growth victims faced the unique situation of having to wait in a queue to negotiate a ransomware payment.

 As can be seen from the graph below, Egregor’s activities dwindled after mid-December. Several people believe this may be due to run-ins with the law. It is also possible that this may just be due to the natural ebb and flow associated with the industry.

ID-Ransomware submission stats showing a huge decline

Ransomware attacks explode since the start of the COVID crisis

Several groups of hackers share this juicy market. But we now know the process that caused a paralysis of the establishment’s vital computer systems: the Dax attack, for example, enabled the teams from ANSSI (the National Information Systems Security Agency) to better understand the weaknesses of a large hospital, and especially to see how we can restart “old-fashioned” tools connected to old operating systems, which usually have not been updated for several years.

These are the same ANSSI teams who have been on the move since the start of the week to try to counter this attack, in conjunction with the IT department of Dax hospital and a private provider. 

Here again, a judicial investigation was opened by the cyber prosecution with national jurisdiction in Paris.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read

Infamous Maze Ransomware Operators Shuts Down Operations

Hackers Abuse Windows Feature To Launch WastedLocker Ransomware to Evade Detection

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...