A security alert released warning private sector companies about the Egregor ransomware operation which is actively targeting and extorting businesses worldwide.

Egregor claims to have already hit and compromised more than over 150 victims since the malicious activity ended up discovered in September 2020, Federal Bureau of Investigation (FBI) said Wednesday in a Private Industry Notification (PIN).

“Once a victim company’s network is compromised, Egregor actors exfiltrate data and encrypt files on the network. The ransomware leaves a ransom note on machines instructing the victim to communicate with the threat actors via an online chat. Egregor actors often utilize the print function on victim machines to print ransom notes. The threat actors then demand a ransom payment for the return of exfiltrated files and decryption of the network. If the victim refuses to pay, Egregor publishes victim data to a public site,” the FBI said.


Phishing emails with malicious attachments and insecure Remote Desktop Protocol (RDP) or Virtual Private Networks are some of the attack vectors used by Egregor attackers to gain access and to move laterally within their victims’ networks.

Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation, according to the FBI.

Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.

Egregor uses Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind for privilege escalation and lateral network movement.

Affiliates are also using 7zip and Rclone, at times camouflaged as a Service Host Process (svchost) process, for data exfiltration before deploying the ransomware payloads on the victims’ network.

The FBI also shared a list of recommended mitigation measures that should help defend against Egregor’s attacks:

  • Back-up critical data offline
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides
  • Install and regularly update anti-virus or anti-malware software on all hosts
  • Only use secure networks and avoid using public Wi-Fi networks
  • Use two-factor authentication and do not click on unsolicited attachments or links in emails
  • Prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108)
  • Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools
  • Securely configure RDP by restricting access, using multi-factor authentication or strong passwords

Click here for the full FBI report.