French and Ukrainian police arrested Egregor ransomware affiliates/partners in Ukraine

An international operation conducted in Ukraine and France lead to the arrest of criminals believed to be affiliated with the Egregor RaaS.

Some affiliated with the Egregor RaaS, not the main ransomware gang, have been arrested as a result of a joint operation conducted by law enforcement in Ukraine and France.

Authorities did not reveal the name of the suspects, according to France media the suspects are in contact with Egregor ransomware operators and provided logistical and financial support to them.

The Egregor ransomware gang has been active since September 2020, it began operating shortly after the Maze ransomware operators shut down their operations.

Like other ransomware operators, the gang implements a double extortion model, which means that it threatens the victims to release stolen data on its leak site if they do not pay the ransom.

“It is a vast Franco-Ukrainian operation. Since Tuesday morning, the police of the two countries have been cooperating in an attempt to dismantle a group of cybercriminals, suspected of being at the origin of several hundred attacks through ransomware (programs that block the computer and demand a ransom) since September 2020.” reported France Inter. “According to information from France Inter, police officers from the Central Office for the Fight against Cybercrime of the Judicial Police participated in the arrest of several hackers, suspected of being in contact with Egregor, a cyber criminal group : hackers, logistical and financial support, etc.”

Early this year, the FBI has issued a Private Industry Notification (PIN) to warn private organizations of Egregor ransomware attacks.

The Egregor ransomware first appeared on the threat landscape in September 2020, since then the gang claimed to have compromised over 150 organizations.

The list of known victims includes Barnes and Noble, Cencosud, Crytek, Kmart, and Metro Vancouver’s transportation agency TransLink. Several major French organizations were hit by the gang, including gaming firm Ubisoft, the SIPA-Ouest France group, and logistics firm Gefco.

Egregor is known to target printers of the compromised organizations, instituting them to print the ransom note.

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” reads the FBI alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.”

Threat actors use phishing emails with malicious attachments as attack vector, they also exploit insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to gain access to the networks.

Once gained access to the target network, the threat actors attempt to escalate privileges and make lateral movements using Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind.

Feds also added that the ransomware operators leverages tools like Rclone (sometimes renamed or hidden as svchost) and 7zip for data exfiltration.

FBI discourages victims to pay the ransom and urge them to report incidents to local FBI offices.

Frence authorities, along with other European police bodies, launched an investigation into the activity of the group last year and were able to identify some members of the Egregor gang that operates an infrastructure in Ukraine.

The infrastructure used by the Egregor ransomware gang, including the leak site, was shut down after the arrests. At the time of this writing, it is not clear if the servers were seized by the authorities or took offline by the ransomware operators to evade the detection of law enforcement.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]