Egregor Ransomware – A Deep Dive Into Its Activities and Techniques

One of the most active ransomware groups, Egregor is part of the Sekhmet malware family that has been active since mid-September 2020. Like most other Ransomware groups, it targets organizations across the world. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and finally demanding ransom in exchange of decrypted documents.

Ransomware attacks have been on a steady rise for the past couple of years, and in 2020 alone we saw an uptick in the number of ransom attacks on companies worldwide. Even as we are in the middle of a pandemic and the world is already struggling with COVID-19, pharmaceutical companies are also becoming easy targets to ransomware. Cyber criminals often take advantage of fear and uncertainty during major critical world events by initiating cyberattacks in the form of social engineering campaigns.

Allegedly, 52 companies have been breached by the threat actor till today (as of October 30, 2020), from GEFCO group being among the first ones to the more recently affected organizations such as Crytek, Ubisoft, Foxtons Group, and Barnes & Noble.

Below is the list of companies whose data has been leaked by this Ransomware threat actor.

The screenshot below has been taken from the threat actor’s blog, showcasing 6945 visits to the GEFCO Group post till today (as of October 30, 2020).

Files of the Foxtons Group and NHK International were allegedly leaked on October 13, 2020. The image below showcases the files initially leaked by the threat actor.

Crytek is an independent video game developer based in Germany. On September 18, 2020, the company released the game ‘Crysis Remastered’ and Egregor has made claims to be in possession of the engine source codes.

The post about Ubisoft breach was published by the threat actor on October 17, 2020 with claims of being in possession of the source codes of the game ‘Watch Dogs: Legion’ even before the actual release of the game.

We have attached some of the screenshots of the leaked files of Ubisoft.

Most recently, the American bookseller Barnes & Noble was allegedly breached by the ransomware operator, and the corresponding blog post was published on October 20, 2020. Only 10% of the data has been leaked till today (as of October 30, 2020) in two parts.

This leak contains the two .hive files which is a set of the logical group of keys and values from the Windows registry. The other two .dit files are directory information tree used by Active Directory in a Microsoft-hosted environment.

On closer inspection we found that it is possible to compromise these files and gain access to the accounts listed along with the password hashes from the given active directory domain, and the registry hive file provides the system information that enables decryption of the .dit file.

We suspect that these leaked files are copied directly from one of the domain controllers (a server) or from the backup of the company’s IT infrastructure.

The research team at Cyble has uncovered the technical aspects of the ransomware along with Tactics, Techniques, and Procedures (TTPs) used by the threat actor.

Technical Analysis of the Ransomware:

In the course of our routine threat hunting, the Cyble Research team discovered the latest list of the Egregor Ransomware zip archive files in the wild on October 27, 2020. The file under analysis is a zip archived ransomware dynamic link library and compiled by Microsoft Visual C++ 8.0 as shown below.

The Egregor Ransomware family shares functionalities of other ransomware actors like Clop Ransomware. As per the intelligence analysis, the threat actor has a possible link to TinyMet Payload v0.2 which was used by Clop Ransomware as a precursor for the TA505 Post-Exploitation Operation. The malware hosting server has been traced back and identified to the server with IP 49.12.104[.]241 and located in Germany, as shown in the figure below.

The ransomware possesses multiple anti-analysis techniques such as code obfuscation and packed payloads. The below hex view indicates the encrypted data section of the payload file.

The payload also employs anti-debugging and evasion techniques by using windows APIs to make the research and detection of the malware difficult, as depicted below.

The payload file is a COM library with 3 export functions, as show in the image below.

Interestingly, the payload data can only be decrypted with the correct command line argument, signifying that the file cannot be analyzed manually or using a sandbox without the exact command line parameter. The command line parameter has been encrypted as shown in the disassembler view below.

During our analysis, we successfully extracted the command line argument to execute its payload. The following command is used to execute the payload.

“C:\Windows\System32\rundll32.exe” %path to file%\sm.dll,DllRegisterServerpassegregor10

Upon execution, the payload injects into iexplore.exe process and starts encrypting text files and documents of the victim machine. The process explorer highlights the read and write operation during the file encryption as shown below.

The payload file also checks for the Logmein event log in an attempt to encrypt files in remote machines or servers connected to the victim’s machine. The path to the log file is hard-coded in the payload file, as shown here.

The encrypted file names are appended with a string of random characters as the new extension {Regex for extension [a-zA-Z] {4,6}}. For example, it renames a file named “” to “”, “” to “” and so on. Also, the threat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in the figure below.

As explained in the “RECOVER-FILES.txt” Ransom note, the threat actor locks computers and servers and downloads data. Victims are advised to contact Egregor’s developers within three days, and on failing to do so, their data stands to be published. The cyber criminals behind this ransomware can be contacted through the provided websites with live chat (one of the websites can be opened only with the Tor browser, and another one is accessible with all browsers).

Unfortunately, there are no third-party tools that can decrypt files encrypted by this threat actor considering that the user needs a private key from the hacker server to decrypt the files. The cyber criminals behind this ransomware are the only ones with the decryption software and key.

We have attached a screenshot of ransom-note with instructions on contacting the threat actor to retrieve their original data.


The Egregor ransomware group is actively targeting different sectors like online games, retails, etc. and there might be a high chance of it switching its gears and focusing other sectors in the near future. Therefore, it is necessary for companies to increase their security measures and set up proactive protection techniques such as the periodic backing up of data and protecting data with strong encryption.

Cyble Research team is continuously monitoring in dark and deep web to collect any major data breaches as well as internet to harvest threat indicators/TTP’s of Emerging threats in the wild to ensure that targeted organizations are well informed and proactively protected.


 Spear phishing attachment or drive by downloadNative APIDLL Side-Loading1  Process Injection1MasqueradingSystem Time Discovery1  Archive Collected Data1  Encrypted Channel1
   DLL Side-Loading1  Virtualization/Sandbox Evasion2  Security Software Discovery2   Both Application and non-application Layer Protocol2  
    Process Injection1Virtualization/Sandbox Evasion2    
     File, folder and system information Discovery  


File Hash:




























Is it ok to pay ransom to the threat actor? The answer is a resounding ‘NO!’ because the payment of a ransom to cyber threat actors still comes with a degree of inherent risks such as data being leaked despite ransom payment, and this also increases the chances of the hacker attacking again and demanding ransom. However, despite these challenges involved, deploying solutions that neutralize the effects of data breaches is the need of the hour!

Here are a few ways to prevent cyber-attacks:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download media from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Keep passwords unique and unpredictable
  • Keep Software and Systems up to date
  • Train employees on Cyber Security
  • Set up Firewall for your internet
  • Secure your Wi-Fi
  • Protect files with a password.
  • Take a Cyber Security assessment
  • Update passwords regularly

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit    

Scroll to Top