Egregor Ransomware

Egregor ransomware encrypts business users’ data with AES+RSA and then requires contact within 3 days for a Bitcoins ransom to get the files back.

Egregor ransomware is a form of malware that’s a modification of both Sekhmet ransomware and Maze ransomware. There are code similarities across all three ransomware variants. They also all seem to target the same victim demographic. Distributers Egregor threatens to publish the stolen data to increase pressure on the victim. To do this, ransomware operators begin to steal data even before encrypting files.

How Does Egregor Ransomware Work?

Egregor ransomware is injected into a victim via a loader. This loader and the subsequently installed ransomware undergoes extensive code obfuscation to mitigate static analysis and the possibility of decryption.After a successful breach, the Egregor ransomware manipulates the victim’s firewall settings to enable Remote Desktop Protocol (RDP).

This malware moves throughout the victim’s network, clandestinely identifying and disabling all antivirus software.