Menu
Browse

Cyber Threat Actor: Egregor

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
22 incidents
Profile

Egregor is a ransomware‑as‑a‑service operation that has been active since late 2020 and is publicly linked to former affiliates of the Maze ransomware group. Ukrainian authorities have identified the threat actors behind several of its operations as being located on Russian networks and have described them as Russian‑backed hackers, noting that some of the Distributed Denial‑of‑Service attacks against Ukrainian government sites were allegedly carried out in retaliation for law‑enforcement actions against Egregor members. The group’s affiliates reportedly receive seventy percent of any ransom payment while the core operators retain thirty percent, a model that has allowed the operation to expand quickly by recruiting experienced ransomware actors.

Egregor has demonstrated a broad targeting pattern across multiple sectors and geographic regions. Victims have included a global staffing firm (Randstad) in the United States, Poland, Italy and France; major retailers such as Kmart, Cencosud and Barnes & Noble; public‑transportation agencies like Vancouver’s TransLink; school districts in Texas and Montana; healthcare providers including Coldwater Orthodontics and the Delta Dental Plans Association; and gaming companies such as Crytek and Ubisoft. The group’s activities have been observed in North America, Europe and Latin America, and it has also been implicated in cyber‑espionage and disruptive operations against Ukrainian government institutions, where malicious macros were used to deliver malware and compromised servers were recruited into a botnet for Distributed Denial‑of‑Service attacks.

The group’s tactics, techniques and procedures consistently involve the theft of unencrypted files prior to encryption, a practice highlighted in several victim statements where attackers threatened to leak the stolen data unless a ransom was paid. Egregor ransomware is known to deliver ransom notes via compromised printers, a tactic observed in attacks on TransLink, Cencosud and other victims. Initial access has been achieved through supply‑chain compromise, as seen in the February 2021 intrusion of Ukraine’s government document management system where malicious macros in uploaded documents silently deployed remote‑access malware. In the same campaign, the attackers installed malware on vulnerable government servers to conscript them into a botnet that was subsequently used to launch further DDoS attacks against Ukrainian state websites.

Notable publicly reported operations include the December 2020 ransomware incident against Randstad, during which the group exfiltrated operational data from the firm’s U.S., Polish, Italian and French divisions and later leaked a subset of financial, legal and business documents. The same month saw Kmart’s back‑end services disrupted by Egregor ransomware, with the attackers threatening to leak stolen data. In early December 2020, Vancouver’s TransLink suffered a ransomware attack that disabled fare‑payment systems and ticket kiosks, with the ransom note delivered via printers. November 2020 attacks hit the Spring Independent School District in Texas, Coldwater Orthodontics in Michigan and the Delta Dental Plans Association, with data posted on the group’s leak site. Earlier that month, Cencosud stores across several Latin American countries were impacted by ransomware that encrypted devices and triggered automatic printing of ransom notes. October 2020 saw alleged data theft from Crytek and Ubisoft, and a confirmed ransomware attack on Barnes & Noble that disrupted its Nook digital services and exposed customer contact and purchase information. These incidents illustrate Egregor’s reliance on a ransomware‑as‑a‑service model, its use of double‑extortion tactics, and its ability to conduct both financially motivated cybercrime and state‑aligned disruptive operations.

Incidents
Attributed incidents available to members
22 incidents
Sources
Sources available to members
14 sources