In a collaboration between French and Ukranian law enforcement, arrests have been made that might put a dent in one of the world's most sophisticated ransomware operations.
As reported first by France Inter, law enforcement made the arrests after French authorities traced ransom payments to individuals located in Ukraine. While the arrests have not been formally tied to Egregor the statements and circumstances surrounding it have led to a lot of speculation. Let’s start with the basic background information.
What is Egregor ransomware?
Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates. A great number of Egregor affiliates were formerly tied to the Maze ransomware. Many believe Egregor is a follow up to Maze, because of:
- The similarity of their business models—both used the data exfiltration and extortion method that was introduced at a large scale by Maze.
- The transfer of affiliates from Maze to Egregor before the Maze group announced its retirement.
- The timing of the Maze retirement and the explosive growth of Egregor led security experts to believe that at least some of Maze’s team members created Egregor in cooperation with Egregor’s predecessor Sekhmet. Egregor is considered a variant of Ransom.Sekhmet based on similarities in encryption, obfuscation, API-calls, and its ransom note.
Tracing ransom payments
Some people still believe that Bitcoin payments are completely anonymous and untraceable. This is not true.
The Bitcoin blockchain is an open and transparent ledger. Every payment is publicly visible to anyone and it’s easy to see how coins move from one address to another. Users are pseudonymous, meaning that their activity is visible, but their identity isn't. Unmasking the flow of money is a matter of tying a real identity to one or more of the Bitcoin addresses in the chain. Successful cybercriminals know this and use mixers or tumblers to hide their tracks.
Usually, the most precarious moment for criminals is when their illegally obtained virtual currency is exchanged for a fiat currency, often referred to as a cash-out point.
Were the arrested people key players?
In the original report the arrested people were mentioned as individuals that provided logistical and financial support. In another report they were said to be people whose job was to hack into corporate networks and deploy the ransomware. But that last bit is usually what the affiliate does, which would suggest they weren't members of the Egregor crew.
However, some parts of the Egregor infrastructure have been offline for a few days, which may indicate the people arrested played a more important role in the organization. The offline parts are mainly their extortion site, where they published exfiltrated data, and the command and control (C2) infrastructure. For now, it remains unclear what the lasting damage might be.
Arrests follow Egregor attacks in France
France Inter said French authorities got involved in the investigation after several major French companies were hit by Egregor last year, such as game studio Ubisoft and logistics firm Gefco. As a result, an investigation was started last year, and French police, together with European counterparts, were able to track down Egregor members and infrastructure to Ukraine.
This does not mean however that Egregor focused on French victims. The group is active worldwide and has achieved estimated earnings between $40 million and $50 million according to a Chainalysis report. This is since their arrival on the scene in September of last year and makes them one of the five most active and best earning ransomware groups.
The arrests come hot on the heels of the recent, dramatic takedown of Emotet and the surprise retirement of the Fonix ransomware group.
Let's hope that Egregor is on the way to joining them.
Stay safe, everyone!