Saturday, December 14, 2024
HomeCyber Security NewsOperators Behind Egregor Ransomware Arrested by Ukrainian, French Police

Operators Behind Egregor Ransomware Arrested by Ukrainian, French Police

Published on

SIEM as a Service

French and Ukrainian law enforcement agencies have joined forces to arrest several members of the Egregor ransomware operation in Ukraine. The arrest was carried out early this week.

The regional daily Ouest France, the video game giant Ubisoft and the transporter Gefco were the victims of the arrested group.

Who Arrested?

Ransom payments to individuals located in Ukraine were traced by French authorities on Tuesday, reports French Inter.

- Advertisement - SIEM as a Service

The police officials of the two countries have been communicating with each other since then in an attempt to dismantle this group of cybercriminals.

The Egregor group is suspected of being at the origin of several hundred attacks through ransomware since September 2020. Ransomware is malicious software that infects your computer and blocks your data and demands a ransom for freeing up this data.

It has been reported that police officers from the Central Office for the Fight against Cybercrime of the Judicial Police participated in the arrest of several hackers, suspected of having been in contact with Egregor.

The arrested individuals are thought to be Egregor affiliates whose job was to hack into corporate networks and deploy the ransomware. A few of these individuals are also believed to have provided logistical and financial support. However, the number of people arrested is yet to be disclosed.

What did Egregor do?

Some of the well-known companies that have been attacked by Egregor include Ubisoft, Gefco, Barnes and Noble, Kmart, Cencosud, Randstad, Vancouver’s TransLink metro system, and Crytek. 

Egregor predominantly operates as a Ransomware-as-a-Service (RaaS) where affiliates partner with the ransomware developers to conduct attacks and split the ransom payments.

The hackers had used a classic but dreadfully effective method, starting with “ransomware”, malicious software that infiltrates mailboxes. 

The computer virus then not only paralyzes the company’s computer systems and connected production tools but also suck up strategic company data and then distribute it, in the event of non-payment of the ransom claimed.

Generally the ransomware developers are responsible for developing the malware and running the payment site and the affiliates have the responsibility of hacking into the victims’ networks and deploying the ransomware. The ransom is generally split in a 30:70 ratio between the developer and the affiliates.

Egregor launched in the middle of September, just as one of the largest groups known as Maze began shutting down its operation.

In November, the ransomware gang partnered with the Qbot malware to gain access to victims’ networks, increasing the volume of attacks even further.

Due to Egregor’s rapid growth victims faced the unique situation of having to wait in a queue to negotiate a ransomware payment.

 As can be seen from the graph below, Egregor’s activities dwindled after mid-December. Several people believe this may be due to run-ins with the law. It is also possible that this may just be due to the natural ebb and flow associated with the industry.

ID-Ransomware submission stats showing a huge decline

Ransomware attacks explode since the start of the COVID crisis

Several groups of hackers share this juicy market. But we now know the process that caused a paralysis of the establishment’s vital computer systems: the Dax attack, for example, enabled the teams from ANSSI (the National Information Systems Security Agency) to better understand the weaknesses of a large hospital, and especially to see how we can restart “old-fashioned” tools connected to old operating systems, which usually have not been updated for several years.

These are the same ANSSI teams who have been on the move since the start of the week to try to counter this attack, in conjunction with the IT department of Dax hospital and a private provider. 

Here again, a judicial investigation was opened by the cyber prosecution with national jurisdiction in Paris.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read

Infamous Maze Ransomware Operators Shuts Down Operations

Hackers Abuse Windows Feature To Launch WastedLocker Ransomware to Evade Detection

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...