Investigation Into Egregor Ransomware Reveals Unknown Aspects About its Operation

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The ‘Egregor’ ransomware group is one of the most active, successful, and intimidating out there, rising in notoriety quickly thanks to its uncompromising extortion mechanism, solid infection methods, and strong encryption scheme. Morphisec has decided to take a deeper look into how the group operates, its techniques for initial access, persistence, and exfiltration, and whether there’s any evidence linking them with other groups that had similar success in the past.

Starting with the infection process, the investigation shows that the Egregor group is exploiting a VPN vulnerability to access the target’s internal network through a Tor exit node, remaining well hidden. From there, the actors scan the network to find any vulnerable servers.

If they do, they use it as an entry point and then move laterally through file sharing, apps, virtualization, and fake updates. The exfiltration of the stolen data, which occurs before the encryption step, is done through legit services like WeTransfer, MEGA, SendSpace, etc.

Source: Morphisec

A notable aspect of Egregor’s operation is the level of diligence they maintain during all stages. For example, when it comes to maintaining persistence, they use “AnyDesk” as a primary backdoor and also “SupRemo” as a backup. Also, the actors are careful with the planting of software and don’t just drop everything they got on every system they break into. For example, the “Mimikatz” credential collector is dropped only on the first vulnerable server they infect (patient zero).

To evade detection from powerful enterprise-grade AV solutions, the actors use the ‘AES.ONE’ file sharing platform. Through it, they drop the ransomware components, but not the other tools. These are fetched in 7zip archive form through the ‘File.io’ service, using a one-time download link.

Finally, there’s evidence that the actors are Russian-speaking people, which is consistent with previous findings. Morphisec has also found a link to the Revil and GandCrab groups through the username “Lalartu,” which has been used by those groups in the past. Of course, the actors use multiple “new users” to roam in the infected systems, and the researchers were able to restore wiped logs that indicated the simultaneous activity of three infiltrators.

Ransomware actors like Egregor are highly sophisticated, no doubt, and defending against them needs a holistic approach. Every network configuration opening, unpatched server, lack of MFA, absence of runtime zero trust preventive tech, and availability of admin privileges is serving as an entry point for these actors.

All they need is a single vulnerability, and they’re in. In any case, take regular backups, keep them isolated from your network, and make sure to test their integrity now and then.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: