Egregor Ransomware Attacks Creating Uncertainty in Cyberspace

Egregor Ransomware Attacks Creating Uncertainty in Cyberspace

A relatively newer cyber assault called egregor ransomware attack is making its name in the cyber world fast. It’s becoming a preferred means of attacking vulnerable networks by cybercriminals.

Egregor belongs to the Sekhmet malware family and emerged in September 2020. But they became infamous in October when they targeted some high-profile companies. A cyberattack against Bernes & Nobles and video game developers Ubisoft and Crytek raised many eyebrows in the cyber arena.

The damage caused until now

Egregor ransomware has affected 71 victims at the minimum, according to cybersecurity researchers at Digital Shadows. It caused harm across 19 different industries around the globe.

As indicated by the security vendor, most Egregor victims come from the service sector, which is 38%. Meanwhile, the vast majority until now have been US-based, which is 83%.

The propagation mechanism and the first infection vector of the novel egregor ransomware attack are still unknown. The anticipation is that it may creep into the system via attachments shared by spam emails. Or it might enter via spiteful crafted links shared through emails or instant messaging chats.


Proactive cybersecurity is the key to comprehensive defense from cyber transgressions.


The method of an egregor ransomware attack

There is a three-step method to conduct the attack.

  • Firstly, it tries to sneak into organizations by finding the vulnerabilities in the network.
  • Then, it steals sensitive data from the organizations.
  • Ultimately, it threatens to release corporate data unless the company pays the ransom in due time.

The group uses double extortion tactics to raise the stakes. It means that it does not only demand a ransom after encrypting data, but it also threatens to upload it online. However, officials are discouraging organizations and individuals from paying the ransom as the files’ guaranteed release is not definite.

The malware uses various types of anti-analysis techniques. The two frequently used ones include code obfuscation and packed payloads. It translates that the spiteful code unpacks itself in memory so that the detection by security tools becomes nearly impossible.

Some counter-measures to remain safe

  • To restrict the impact of data loss, carry out regular backups of all essential information to advance the recovery process. The backup data should reside on a separate device, ideally.
  • Punctually check for the integrity of the information contained in the database.
  • Create an email validation system to fend off spam. It is essential to detect email spoofing through which many ransomware samples reach the corporate email boxes successfully.
  • On all systems, you should keep up updated anti-virus software. Also, never open attachments or click on a URL in unsolicited emails, despite coming from people in your contact list.
  • Managers should use least-privileged accounts and disable remote desktop connections. Limiting people who can log in using a remote desktop is a recommended approach to mitigate attacks.


It isn’t yet entirely obvious how cyber actors compromise victim networks since Egregor ransomware is still new. Researchers say that the code comes out profoundly obfuscated. It appears precisely designed to prevent information security teams from being qualified to analyze the malware.

At LIFARS, we will be publishing a case study on this ransomware very soon, so stay tuned for more details related to this threat.

In such uncertain times, all organizations should think about moving along onwards with a proactive cybersecurity approach. Leaving a slight weakness in the system could cause enormous harm.



What is next: Egregor Ransomware?

End of Maze and beginning of Egregor