FBI Issues Alert on Growing Egregor Ransomware Threat


Bureau and Security Experts Warn About Gang’s Effective Extortion Model


The FBI issued a warning this week over the growing threat from the operators behind the Egregor ransomware variant and other cybercriminal gangs affiliated with the group.

Since September, the Egregor gang and its affiliates claim to have compromised approximately 150 corporate networks in the U.S. and other countries. In some cases, the extortion demands have reached $4 million.

Egregor appears to have a network of affiliated cybercriminals that carry out their own attacks and then kick back a percentage of the ransom if the money is paid by the victim, making prevention and mitigation more of a challenge.

“Because of the large number of actors involved in deploying Egregor, the tactics, techniques and procedures used in its deployment can vary widely, creating significant challenges for defense and mitigation,” the FBI alert notes. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.”

Other researchers have noted that Egregor is one of several cybercriminal operations that exfiltrates data before crypto-locking systems and files and then threatens to leak the information unless it receives a ransom from the victim.

While relatively new, the Egregor gang and its affiliates have been tied to several high-profile attacks, including compromising the networks of Barnes & Noble and Kmart.


The FBI alert notes that the operators behind Egregor typically use phishing emails with malicious attachments or links as the initial attack vector. The gang also exploits vulnerabilities in Microsoft’s Remote Desktop Protocol tool and VPNs to gain initial access before moving laterally throughout the network.

Once the network is compromised, Egregor deploys legitimate penetration testing tools, such as Cobalt Strike, Advanced IP Scanner, and AdFind, to escalate administrative privileges and move laterally through a network.

And while Egregor’s operators have developed methods to hide their tactics and techniques—and have also made the source code difficult to analyze—Callow says that the ransomware acts much like other crypto-locking malware.


The FBI says organizations can take several steps to mitigate the risk of Egregor and other ransomware attacks, including:

  1. Backing up critical data offline
  2. Ensuring that copies of critical data are in the cloud or on an external hard drive or storage device
  3. Securing backups and ensuring data is not accessible for modification or deletion from the system where the data resides
  4. Using two-factor authentication
  5. Prioritizing patching of public-facing remote access products and applications, including recent RDP vulnerabilities such as CVE-2020-0609, CVE-2020-0610 and CVE-2020-16896
  6. Reviewing suspicious BAT and DLL files with recon data and exfiltration tools

The FBI also notes that those who are targeted by ransomware should not pay the ransom because that could encourage additional criminal activity. The U.S. Department of the Treasury has also warned organizations not to pay ransoms, noting they could face sanctions.

If you have questions about IT security and the evolving threats your organization faces, call ITPAC today.