You are currently viewing FBI Warns of Egregor Ransomware Targeting Organizations World Over
Egregor Ransomware

FBI Warns of Egregor Ransomware Targeting Organizations World Over

The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide.

The Egregor ransomware was first identified by the FBI in September 2020. The FBI says in a TLP: WHITE Private Industry Notification (PIN) Egregor claims to have already compromised over 150 victims worldwide.

Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.”

How Egregor Ransomware Works

  1. Egregor ransomware uses multiple mechanisms to compromise business networks. These include targeting business networks and employee individual accounts that share access with business networks or devices. Some of the ways it can get access to networks are:
    • Using phishing emails with malicious attachments to gain access to company networks.
    • Exploit Virtual Private Networks (VPN).
    • Exploit Remote Desktop (RDP). RDP is also a technique used to move laterally within the organization.
  2. Once inside the network, the hackers use common pen testing [1]and exploit tools [2]to move laterally and escalate privileges across the network.
  3. Once a victim’s organization network is compromised, Egregor hackers exfiltrate and encrypt company files and data on the network.
  4. The Egregor hackers then attempt to extort businesses by threatening to publicly release exfiltrated data. They do this by leaving a ransom note on machines instructing the victim to communicate with the hackers via a specified online chat. Egregor hackers often utilize the fine print function on victims’ machines to print ransom notes.
  5. The hackers then demand a ransom payment for the return of exfiltrated files and decryption of the network.
  6. Finally, if the victim refuses to pay, Egregor may proceed to publish the data to public websites.

Why the Risk of a Successful Egregor Attack is High

The egregor attack success rate is said to be high because multiple different parties play a part in executing a single Egregor ransomware attack. Because of the large number of players involved, the methods used in executing the attack will often vary. This can create significant challenges for protection from the attack.

What to do if you become a victim

Although you may find yourself stuck between a rock and a hard place when you think about the risk loss of this data may pose to your clients, employees or investors, security experts do not recommend paying a ransom to the cybercriminals. Why?

  • Because doing so only encourages the cybercriminals to continue doing what they are doing and even target other organizations.
  • Also because paying ransom indirectly funds the cybercriminal’s activities and encourages them to continue with their cybercrimes.
  • It also encourages further distribution of ransomware.
  • And finally, there is actually no guarantee you will get your files back after paying the ransom.

How to Protect you and your Organization from Ransomware Attacks

  • Avoid clicking on unsolicited attachments or links in your email
  • Backup critical data offline
  • Backup critical data on the cloud or an external storage device. can offer you a reliable cloud backup solution.
  • Secure your data to ensure it cannot be modified or deleted in the system where it resides
  • Invest in a good spam filtering solution for your emails.
  • Install and regularly update antivirus and anti-malware software on all your organization’s computing systems.
  • Avoid public Wi-Fi networks as the security on these networks cannot be guaranteed.
  • As much as is possible, enable and use two-factor authentication (2FA) for all your accounts.
  • Wherever possible, use application-specific passwords. You can read more about what these are and why they’re important here.
  • Patch of all systems on your network, but particularly the public-facing remote access products and applications. Ensure they are patched against all recent RDP vulnerabilities.
  • Configure RDP securely by restricting access, using strong passwords on all systems, and also using two-factor authentication where possible.
  • Review suspicious .bat and .dll files, files with recon data (e.g., .log files) and exfiltration tools.

MailSafi Email Security is a best-of-class spam filtering solution for businesses. MailSafi email security offers protection against spam, viruses, malware as well as spoofing and phishing attacks and will go a long way in minimizing the risk that your organization will become the victim of a ransomware attack. Talk to us today for more information on our spam filtering service.

Through our parent company,, we can also advise and provide you with firewall, antivirus and cloud backup solutions for your organization. Get in touch today!

[1] Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind

[2] Rclone (sometimes hiding as an svchost), 7zip