Cybereason vs. Egregor Ransomware

Research by: Lior Rochberger

Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and Ubisoft

Similar to the Maze ransomware, Egregor’s operators run an extortion ransomware operation, where the data is stolen and stored on the attacker’s servers before it is encrypted on the users machine. Egregor is probably the most aggressive ransomware family in terms of negotiation with the victims. Its operators give only 72 hours to contact them. If the ransom is not paid, the data is released to the public via the attacker’s website, “Egregor News.”


Cybereason Blocks Egregor Ransomware

The ransomware payment is negotiated and agreed upon via a special chat function assigned to each victim. The payment is received in bitcoin:

egregor-1Egregor News website - published data

Egregor is believed to be a relative of another ransomware called Sekhmet that emerged in March, 2020, which shares a lot of similarities with Egregor and also some similarities with Maze.

Egregor is still quite a mystery when it comes to how it is delivered in the attack and who is behind the campaign. Not much is known at this point, but speculation includes theories that Egregor is the “heir to Maze,” after that threat actor announced they were shutting down their operations in late October. This assumption is supported by the close similarities between the two - and of course the timing.

Key Findings

• Emerging Threat: In a short amount of time, Egregor ransomware caused a great damage and made headlines across the world.

• High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks.

• Low-and-Slow: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-fledged hacking operation.

• Infection Vector via Commodity Malware: The infection seems to start with commodity malware. Based on a preliminary reconnaissance of data sent to the C2 servers, the operators can choose to escalate to an interactive hacking operation, which ultimately causes a mass ransomware infection.

• Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the Egregor ransomware.

Breaking Down the Attack

egregor-2Egregor infection chain

From Commodity Malware Infection to Ransomware

Since Egregor is a relatively new player in the game, not many incidents involving it are covered and detailed here, including information about the infection chain. The information available so far suggests that the initial infection starts with a phishing email that contains a malicious macro embedded in an attached document. 

The macro code downloads a commodity malware, either Qbot icedID or Ursnif, which provides capabilities for stealing sensitive information that will later be used for lateral movement. This technique, which involves using a commodity malware as initial infection and to eventually deliver ransomware, was observed before with Ryuk ransomware and Maze.

Later in the attack, a CobaltStrike beacon is installed on the infected machine and the attack shifts to an interactive hacking operation. The attacker uses tools for reconnaissance such as Adfind and Sharphound to gather information about users, groups, computers and so on. This information will assist in the lateral movement phase and also in performing privilege escalation, as Egregor compromises Active Directory in order to become domain admin.

In this stage, after the malware settles on the victim’s machine, it starts communications to the C2 in order to download additional components including scripts, DLLs and other files that will be used eventually to exfiltrate data and encrypt files.

Among the dropped files observed:

  • A batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload.

  • A Zip file contains a binary file that is an RClone client, renamed svchost, and RClone config files (webdav, ftp and dropbox) used later for exfiltration.


VT screenshot of the RClone executable and configuration file

CobaltStrike creates a service that runs an encoded PowerShell command that executes shellcode that creates connection to amajai-technologies[.]industries:

egregor-4Decryption of the Shellcode

After dropping the files needed for the attack, the attackers “prepare the ground” and undertake a final procedure meant to avoid detection and prevention. The attacker creates a Group Policy Object (GPO) to disable Windows Defender and tries to take down any anti-virus products.

Egregor Execution

As described above, the operators of Egregor deploy the ransomware payload after collecting the sensitive information and setting the GPO to evade detection and prevention. To deploy the ransomware, they execute the dropped batch file that, as mentioned, is used to download and execute the ransomware payload from a remote server:

egregor-5The content of the batch file

The Egregor payload can only be decrypted if the correct key is provided via command line argument to the Rundll32 process, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided. 

In order to execute the ransomware and decrypt the blob of code inside of it, the operators provide the batch file with the key “-passegregor10” which resolves in the ransomware running and encrypting files:

egregor-6Batch file execution as shown in the Cybereason Defense Platform

The encrypted file names are appended with a string of random characters as the new extension. For example, it renames a file named “” to “”, “” to “” and so on. Also, the threat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in the figure below: 

egregor-7Encrypted files

egregor-8A message shown the the user

Connection to Sekhmet and Maze

Egregor shares code similarities with Sekhmet ransomware, as well as the notorious Maze ransomware. Besides code similarities, the tree ransomware has a lot in common, including behaviour and characteristics:





First seen

May 2019

March 2020

July 2020

File type




Encrypted Files Extension

Files are appended with random extensions, consisting of random characters

Files are appended with random extensions, consisting of random characters

Files are appended with random extensions, consisting of random characters

Encryption Algorithm

ChaCha & RSA

ChaCha & RSA

ChaCha & RSA

Ransom Demand Message file name





Encryption and extortion

Encryption and extortion

Encryption and extortion

Cyber Criminal Contact

Tor browser website

Tor browser website

Tor browser website

Website name

Maze News

Leaks, Leaks, Leaks.

Egregor News


Another way to search for the connection between the three is to look at the infrastructure. The IP address 185.238.0[.]233 different binaries, Zip files and scripts:

• Maze ransomware binaries

• Egregor ransomware binaries

• Zip files contains the RClone binary and configuration files

The IP address is referred to by different scripts including the batch files that download the Egregor payload:

egregor-9Chart describing the different samples found on 185.238.0[.]233

It is also worth mentioning the similarities in the ransom notes of the three. They have a very similar structure, and even some “copy-paste” parts:

egregor-10Comparison between the three ransomware’s ransom notes

In addition to the Maze and Egregor binaries found on this specific server, other samples were found on the server, related to Prolock ransomware, as analyzed in this report.

Cybereason Detection and Prevention

Cybereason is able to both detect and prevent the execution of Egregor, Sekhmet and Maze using the NGAV component. When the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect the attempt to encrypt files and raise a Malop for it:

egregor-11Ransomware malop triggered due to the malicious activity

Using the Anti-Malware feature with the right configuration (listed in the recommendations below), Cybereason will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files:

egregor-12Anti Malware alert - Disinfecting the b.dll (Egregor payload)

egregor-13User notification, Blocking the execution of the ransomware in the endpoint

Indicators of Compromise






















Egregor DLL








Egregor batch file





Zip containing RClone



Encoded PowerShell



Initial Access

Privilege Escalation

Defense Evasion

Command and Control


Lateral Movement




Valid Accounts

Group Policy Modification

Ingress Tool Transfer

Account Discovery

Remote Services

Exfiltration Over Web Service

Data Encrypted for Impact


Impair Defenses


Domain Trust Discovery


Exfiltration Over Web Service


Impair Defenses: Disable or Modify Tools


Permission Groups Discovery




Permission Groups Discovery: Local Groups

Cybereason Nocturnus
About the Author

Cybereason Nocturnus

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

All Posts by Cybereason Nocturnus