The Egregor ransomware gang has been active since September 2020, it began operating shortly after the Maze ransomware operators shut down their operations.Like other ransomware operators, the gang implements a double extortion model, which means that it threatens the victims to release stolen data on its leak site if they do not pay the ransom.

“It is a vast Franco-Ukrainian operation. The police of the two countries have been cooperating in an attempt to dismantle a group of cybercriminals, suspected of being at the origin of several hundred attacks through ransomware since September 2020.” compromised over 150 victims

The list of known victims includes Barnes and Noble, Cencosud, Crytek, Kmart, and Metro Vancouver’s transportation agency TransLink. Several major French organizations were hit by the gang, including gaming firm Ubisoft, the SIPA-Ouest France group, and logistics firm Gefco.

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.”

Threat actors use phishing emails with malicious attachments as attack vector, they also exploit insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to gain access to the networks.

Once gained access to the target network, the threat actors attempt to escalate privileges and make lateral movements using Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind.

Feds also added that the ransomware operators leverages tools like Rclone (sometimes renamed or hidden as svchost) and 7zip for data exfiltration.

Frence authorities, along with other European police bodies, launched an investigation into the activity of the group last year and were able to identify some members of the Egregor gang that operates an infrastructure in Ukraine. The infrastructure used by the Egregor ransomware gang, including the leak site, was shut down after the arrests.