Egregor Ransomware Operators Threaten Companies To Pay Ransom in 3 Days Else They Leak Data Online

Recently, the Egregor ransomware operators hacked into the companies to steal sensitive data and encrypt them. Not only this, but the threat actors have also threatened the victims that they will expose all the stolen data online.

The ransomware has been detected by the security researchers at Appgate. They have been giving warning regarding this uncovered ransomware variant Egregor, and according to the security researchers, the ransomware variant has appeared to have affected about a dozen of organizations through all over the world in just a few months.


There are nearly 13 different companies that are listed in their ‘hall of shame,’ which also includes the global logistics company GEFCO, which has encountered a cyberattack last week.


Egregor is an unrevealed term intended to imply the accumulated energy or force of an association of individuals. These are implied significantly when the individuals are associated with a common mission.

According to the research record of the security experts from Appgate, the code appears to be a spinoff of the Sekhmet ransomware, and there was a link that has been marked by several other security researchers.

However, Egregor can obtain extra parameters through the command line, like ‘nomimikatz,’ ‘killrdp,’ ‘norename,.’ But the experts are still performing the reverse- engineering in the malware so that they get the proper picture of the operation. 

Moreover, Egregor has also sent a note that tells if the claimed ransom is not paid by the organization within the given time period, which is “3 days.” 

Then they will leak all the stolen data online, and aside from leaking part of the stolen data, they will exhibit all the information via mass media where the company’s partners and customers will acknowledge that the threat actors hit the company.

During an investigation, the researchers have noted that the ransomware comprises several types of anti-analysis methods, including code obfuscation and packed payloads, which indicates that the ill-disposed code “unpacks” itself in memory as a method to bypass disclosure by the security tools.

The Egregors’ ransom note also states that apart from decrypting all the files in the matter, in which the company pays the ransom, they will also implement recommendations for ensuring the company’s network, as it will help them to evade being breached again.

The security experts are still trying there best to investigate all the key details of this ransomware attack. And the experts also affirmed that the ‘security recommendations’ overtook their all attention as it’s quite unusual for a criminal group. 

Apart from this, the criminal group are trying to play good people by intimating; they would try to improve your network. That’s why the security experts will continue to monitor any potential variants that are emerging from this particular group. 

While to get the payment details, the sufferer requires to navigate to the deep web link that has been provided by Egregor and get guidance from the attacker via live chat. But this has not been performed yet, as the expert are not so sure about this very particular step.

You can also read the complete ransomware mitigation checklist

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

SunCrypt Ransomware Attack Shutdown The North Carolina School District

Russian National Arrested for Hiring Tesla Employee to Install Malware On to The Company’s Network

QNAP Warned that AgeLocker Ransomware Attacks QNAP NAS, Linux, and macOS Devices

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.