Egregor Ransomware

Egregor ransomware encrypts business users’ data with AES+RSA and then requires contact within 3 days for a Bitcoins ransom to get the files back.

Egregor ransomware is a form of malware that’s a modification of both Sekhmet ransomware and Maze ransomware. There are code similarities across all three ransomware variants. They also all seem to target the same victim demographic. Distributors Egregor threatened to publish the stolen data to increase pressure on the victim. To do this, ransomware operators begin to steal data even before encrypting files.

How Does Egregor Ransomware Work?

Egregor ransomware is injected into a victim via a loader. This loader and the subsequently installed ransomware undergo extensive code obfuscation to mitigate static analysis and the possibility of decryption. After a successful breach, the Egregor ransomware manipulates the victim’s firewall settings to enable Remote Desktop Protocol (RDP).

This malware moves throughout the victim’s network, clandestinely identifying and disabling all antivirus software.

Egregor Ransomware

Egregor ransomware encrypts business users’ data with AES+RSA and then requires contact within 3 days for a Bitcoins ransom to get the files back.

How Does Egregor Ransomware Work?

Operators of the Egregor ransomware “leaked” data stolen from Ubisoft and Crytek into the network

Maze, Egregor ransomware decryption keys released by the developer

Maze and Egregor ransomware operators earned more than $75 million in bitcoins

Ransom:Win32/Egregor.XX!MTB

Ransom:Win32/Egregor.BM!MSR

Egregor ransomware attack disrupted public transport in Vancouver

Ransom:Win32/Egregor.A!MTB

Ransom:Win32/Egregor!MSR

Egregor ransomware attacked largest Chilian retailer Cencosud