Operators Behind Egregor Ransomware Arrested by Ukrainian, French Police

French and Ukrainian law enforcement agencies have joined forces to arrest several members of the Egregor ransomware operation in Ukraine. The arrest was carried out early this week.

The regional daily Ouest France, the video game giant Ubisoft and the transporter Gefco were the victims of the arrested group.

Who Arrested?

Ransom payments to individuals located in Ukraine were traced by French authorities on Tuesday, reports French Inter.

The police officials of the two countries have been communicating with each other since then in an attempt to dismantle this group of cybercriminals.

The Egregor group is suspected of being at the origin of several hundred attacks through ransomware since September 2020. Ransomware is malicious software that infects your computer and blocks your data and demands a ransom for freeing up this data.

It has been reported that police officers from the Central Office for the Fight against Cybercrime of the Judicial Police participated in the arrest of several hackers, suspected of having been in contact with Egregor.

The arrested individuals are thought to be Egregor affiliates whose job was to hack into corporate networks and deploy the ransomware. A few of these individuals are also believed to have provided logistical and financial support. However, the number of people arrested is yet to be disclosed.

What did Egregor do?

Some of the well-known companies that have been attacked by Egregor include Ubisoft, Gefco, Barnes and Noble, Kmart, Cencosud, Randstad, Vancouver’s TransLink metro system, and Crytek. 

Egregor predominantly operates as a Ransomware-as-a-Service (RaaS) where affiliates partner with the ransomware developers to conduct attacks and split the ransom payments.

The hackers had used a classic but dreadfully effective method, starting with “ransomware”, malicious software that infiltrates mailboxes. 

The computer virus then not only paralyzes the company’s computer systems and connected production tools but also suck up strategic company data and then distribute it, in the event of non-payment of the ransom claimed.

Generally the ransomware developers are responsible for developing the malware and running the payment site and the affiliates have the responsibility of hacking into the victims’ networks and deploying the ransomware. The ransom is generally split in a 30:70 ratio between the developer and the affiliates.

Egregor launched in the middle of September, just as one of the largest groups known as Maze began shutting down its operation.

In November, the ransomware gang partnered with the Qbot malware to gain access to victims’ networks, increasing the volume of attacks even further.

Due to Egregor’s rapid growth victims faced the unique situation of having to wait in a queue to negotiate a ransomware payment.

 As can be seen from the graph below, Egregor’s activities dwindled after mid-December. Several people believe this may be due to run-ins with the law. It is also possible that this may just be due to the natural ebb and flow associated with the industry.

Ransomware attacks explode since the start of the COVID crisis

Several groups of hackers share this juicy market. But we now know the process that caused a paralysis of the establishment’s vital computer systems: the Dax attack, for example, enabled the teams from ANSSI (the National Information Systems Security Agency) to better understand the weaknesses of a large hospital, and especially to see how we can restart “old-fashioned” tools connected to old operating systems, which usually have not been updated for several years.

These are the same ANSSI teams who have been on the move since the start of the week to try to counter this attack, in conjunction with the IT department of Dax hospital and a private provider. 

Here again, a judicial investigation was opened by the cyber prosecution with national jurisdiction in Paris.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read

Infamous Maze Ransomware Operators Shuts Down Operations

Hackers Abuse Windows Feature To Launch WastedLocker Ransomware to Evade Detection