Egregor: Dynamic Ransomware to keep an eye on

December 2, 2020
Egregor Malware Ransomware antimalware

Reportedly been active since mid-September 2020 and a part of the Sekhmet malware family, Egregor is considered one of the most active Ransomware Group this year.

This ransomware targets organizations worldwide to steal highly sensitive data, data encryption, and decryption of acquired data to exchange a ransom. Ransomware attacks from Cybercriminals have been around for some time now, and this year 2020, we saw how the number of ransomware attacks has skyrocketed this pandemic. Despite these trying times, Cybercriminals were fond of targeting Pharmaceutical companies that are in the core of producing a vaccine for the COVID-19 virus.

Egregor has named 71 victims across 19 different industries. It can be concluded that the Cybercriminals behind this Ransomware has been developing the malware variant for an extended period due to its sophistication and ability to infect a wide range of victims.

As per an in-depth study of this Ransomware, this malware model confirms just how money-grubbing these Threat actors are. Egregor will complete the targeted Organization’s breach then releases the data in a traceable manner for the victim to serve as evidence of the attack while asking for a lump sum of a ransom in exchange for no longer releasing the acquired data. Failing to pay the ransom amount will result in the acquired data being published.

There is not yet available Third-party software that can decrypt the encrypted files as the Threat Actors behind this attack will only be the ones who can decrypt them. Below is a sample screenshot of the ransomware note left by the Threat actors providing instructions on how to retrieve the victim’s data:


Egregor Dynamic Ransomware image 1


It can be noticed that Threat Actors can be contacted via their Live Chat option on the link provided on their note.

As this is a new breed of Ransomware, researchers only have narrow information about its common tactics, techniques, and procedures (TTP’s). However, according to them, this Ransomware is profoundly obscured to prevent Security researchers from evaluating this malware.  A private security firm, however, claims that Phishing emails can be one of the primary approaches to this attack.

The increase of their victims shows how motivated the Threat actors are behind this attack. It has reportedly increased by about 240% from September 25th (15 attacks) to October 31st (51 attacks), and 43% on November 17th totals the occurrence to 71 attacks.


Egregor Dynamic Ransomware image 2


Threat actors behind Egregor are still in the wild and are still actively aims different sectors like Retails, Online Games, etc.


It will not be astonishing if they target other sectors in the coming months.

An organization must consider ameliorating their Cybersecurity fortification by performing an extra layer of protection of their Network such as backing up data periodically, applying the latest security patches and updates, and using strong encryption for their data.

About the author

Leave a Reply