December 23, 2020
The ‘Egregor’ team has published a press release meant to intimidate victims and practically convince them to pay the demanded ransom. Spotted on the dark web by researchers of the KELA threat intelligence firm, the press release includes several key points specifically addressed to those who have not “secured a contract” with the actors.
The ransomware actors promise to keep the stolen data of their victims private until the latter decide what to do, given a period of three days to do so. If they fail to contact the hackers by then, between 1% and 3% of the stolen information will be leaked online, not including the file structure, however.
Once the victim agrees to create a contract with the Egregor actors to pay them the ransom, all the information will be deleted, leaving no possibility for recovery. The victim will also receive a deletion report, which will somehow help prove that the stolen data was erased. Certainly, this haves no proving value whatsoever, but the actors are offering it anyway.
The group says that those who claim that they leaked data of clients who had a contract with them are spreading false rumors and that they value their reputation and respect the contract terms. The press release even goes after the companies who spread the rumors, saying that they secretly add 10%-50% of the ransom to make money from the client (victim). They even say they have evidence of that.
In fact, we had reported on this particular thing at the beginning of the month, presenting a Coveware report that put Egregor in a category of groups that had leaked victim data online even before the victim had the chance to pay the ransom. Now, we can’t say if this is false or not, but trusting ransomware gangs and believing that they have anything resembling any consideration to business reputation is naive. These groups can call it a day anytime and start a new operation under a new name, claiming the same things all over again.
KELA sees similarities between the recently published press release and past announcements from the recently disbanded Maze team. Both groups are/were active on the Russian-speaking parts of the dark web, so it would be safe to assume that at least some hackers have jumped from one project to the next. Egregor has only started its engines recently after the Maze team decided to call it a day.
And as for the intimidation part of the press release, this one warns the victims who are not willing to make a contract with Egregor of the following: