- The French police traced back several Egregor attacks against large firms in the country to Ukraine.
- The arrests of an unknown number of members may or may not risk the ransomware gang's operations.
- Egregor has had a good run so far, but maybe the circumstances are now ideal for a glorious exit.
Egregor is one of the most active ransomware groups at the moment, so law enforcement authorities naturally focus their resources on figuring out the crooks' real identities. The French police collaborated with the Ukrainian state to arrest several suspects who are believed to be members of the Egregor group.
The French have had attacks on local firms like ‘Gefko,’ ‘Ouest France,’ ‘Ubisoft,’ and the Dax hospital in the Landes. All of these were traced back to Ukrainian ground, so the particular actors were not careful enough as it seems.
These arrests are by no means signifying the end of the Egregor RaaS, as the arrested individuals are only members/clients of the ransomware platform. However, they are bound to cause a disruption, and already, the leak site where the stolen data of victimized firms is published for purposes of extortion is down. Possibly, the operators fear that the arrested persons may give useful testimonies to the investigators, potentially leading to more arrests.
According to Kivu researchers, Egregor comprises about a dozen core members and another 20 to 25 semi-exclusively vetted members. Thus, even a small number of arrests would have the potential to risk the project’s existence, as long as these people belong in one of these two sub-categories.
Typically, the “lives” o RaaS programs follow a certain route, rising to notoriety, sustaining high-level operations for a while, passing to a period of decline, and then shutting down the RaaS program. The members are then jumping ship to the next “hot” platform, and so do several of the malware authors, while those on top just exit the space and go on to enjoy their loots.
This is something that we’ve seen with the super-active and highly-successful “Maze” group recently. In the case of Egregor, researchers at Morphisec have recently found ties with REvil and GandCrab, so it’s just a recycling process, at least up to a certain level.
We don’t know when Egregor will decide to abandon the cybercrime space, but there are signs of its infection rates entering an extended period of decline, so it may not be long now. Egregor has reportedly made between $40 and $50 million already, so they can go for a comfortable retirement and avoid risking any additional trouble.
Finally, the new Russian law, which threatens to take control over all operations of this kind, is surely introducing another pressure vector for Russian actors like Egregor, so maybe this will be the end for them.