After a wave of arrests, Egregor will have to recruit new hackers

By arresting members of Egregor’s armed wing, the police are dealing a blow to one of the main cybercriminal organizations.

2021 is definitely off to a bad start for cybercriminals. Based on information from France Inter from February 12, French police participated in the arrest of several cybercriminals in Ukraine. More specifically, it was the Central Office for the Fight against Cybercrime, a division of the judicial police specializing in the subject, which carried out a whole part of the investigation. The cyber prosecution (J3) of the Paris Tribunal de Grande Instance had received numerous complaints and reports.

The arrested suspects are said to be partners of the Egregor gang: hackers, but also individuals responsible for the support functions necessary for any organized cybercriminal activity (logistics, accounting, etc.). The police would have identified the thugs by tracing the circulation of the payment of ransoms on the bitcoin blockchain.

Big blow for one of the biggest ransomware developers

The police didn’t hit the gang at its root, but they did inflict a heavy blow on its production line. Egregor, like the majority of its competitors, has a “Ransomware-as-a-service” business model. Concretely, it only develops the ransomware which will be used to encrypt the computer networks of the victims and thus to paralyze their activities. Instead, it outsources the attack and the ransom demand to handpicked partners. If a victim pays the ransom – Egregor’s average loot would be $ 700,000 from ZDNet – the developer takes a commission, between 20 and 40% of the amount, then leaves the rest of the amount to his partner.

Egregor’s turn to be hit by the police. // Source: Louise Audry for Numerama

Stopping the partners therefore amounts to cutting off the armed wing of the gang, and consequently its activity. But this would only be temporary: the armed wing can be replaced by another, even if Egregor could encounter certain difficulties. Asked by Cisco, a ransomware operator explained that high-level hackers are not as numerous as they seem. Replacements for arrested hackers could be much less effective than their predecessors, which would decrease the organization’s earnings.

Egregor’s servers have fallen

Then Egregor will face a crisis of confidence: why work for him when other gangs offer almost as effective ransomware with a similar distribution of earnings, but whose partners have never been identified? In November 2020, the Revil gang (also known as Sodinokibi), one of Egregor’s main competitors, claimed that it had identified two members Egregor thanks to a mole within the organization. If the information had not been confirmed at the time, it had still been communicated to the police. And this kind of incident could make possible new partners doubt.

Proof of the success of the police operation or a strange coincidence, the company Recorded Future pointed out to ZDNet that several servers belonging to Egregor have not been online since Friday, February 12. Among them, the site on which the gang threatens to publish the data of victims who do not pay, and the monitoring and control infrastructure that is used to deploy the ransomware. These disappearances are unusual. On the one hand, when the police seize a site, they usually display a message saying that they are the cause of the going offline. On the other hand, Egregor seems too developed as an organization to lose its infrastructure due to oversight or human error.

The police have succeeded again

This is already the third major operation of success by the police at the start of 2021. Europol has already orchestrated the dismantling of a large part of the infrastructure of Emotet, a key player in the sector. , which provided en masse access to victims’ networks, into which ransomware could infiltrate. Then it was the turn of the gang Netwalker suffer a wave of arrests and seizures.

This time, the police managed to reach one of the world’s three biggest organizations. Appeared at the end of 2020, Egregor would in reality be only an extension of Maze, a retired cybercriminal organization that revolutionized practices between 2018 and 2019. This is therefore excellent news: the police are finally managing to slow down development. extremely fast gangs, which are gaining strength at a frightening rate.

The officialization of the arrests should provide more details on the scale of the operation, and its effects on Egregor’s activity in the medium term.


Source: Numerama by cyberguerre.numerama.com.

*The article has been translated based on the content of Numerama by cyberguerre.numerama.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!