Egregor ransomware, which first emerged in September, has targeted several high-profile organizations in a short span of time. The ransomware has attacked multiple industries and made its name among the top ransomware family. Recently, the group has hit Kmart and shut down the retailer’s access to some back-end systems.

Quick insights

In a very short time, the ransomware group has already attacked at least 71 victims across 19 different industries worldwide. The main motive behind this group attack is financial gains by threatening to leak data if the ransom is not paid.
  • So far, the group attacked well-known organizations such as  Randstad NV, TransLinkBarnes & Noble, Ubisoft, Crytek, and Cencosud. The primarily targeted sectors include manufacturing, transportation, IT, and retail.
  • Out of the first 69 targeted organizations, 32 victims were in the U.S., 7 were in France and Italy each, 6 in Germany, and 4 in the U.K. Other victims were from APAC, the Middle East, and Latin America.
  • One-third of the group’s campaigns targeted the industrial goods and services sector, mostly in the U.S.
  • The ransomware is still comparatively new, thus, it has not yet been confirmed how its operators compromise the victim networks. However, experts stated that email phishing could be the initial method of infection used by the operators.
  • In addition, the malware code is heavily obfuscated and possesses sophisticated technical capabilities to hinder the analysis of malware.

The Maze angle

Though Egregor’s code isn’t the derivative of the malware used by Maze, the ransomware still seems to be in a hurry to snatch the opportunity and fill in the shoes of Maze.
  • Many of Maze’s associates were seen moving over to Egregor after Maze’s operators had announced that they were shutting down their operations. 
  • Like Maze, Egregor could be a ransomware-as-a-service operation that uses the ChaCha and RSA encryption algorithms to encrypt victims’ files.


By looking at the sophistication of attacks, it could be said that the group has spent a lot of resources and time to develop its malware. Thus, experts suggest proactively taking backup of important data, updating software and operating systems to the latest patches, and providing training to employees to identify phishing emails.
Cyware Publisher