Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Cybersecurity
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
What is Egregor Ransomware?
Last updated
November 28, 2025
{x} minute read

What is Egregor Ransomware?

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Edward Kost
Senior Cybersecurity Writer
Edward is a cyber writer with a mechanical engineering background. His work has been referenced by academic institutions and government bodies.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

Since stepping into the cybercriminal arena in cyber September 2020, the Egregor group has penetrated over 71 businesses globally, including recruitment giant Randstad and US retailer Kmart.

But who is the Egregor group and how have they managed to rise up as a significant cyber threat in just a few short months?

Who is Egregor?

Egregor is a cybercriminal group specializing in a unique branch of ransomware attacks. Egregor is a term in Western Magic referring to the collective energy of a group of people united with a common purpose.

it is speculated that the ransomware operators of notorious cybercrime group Maze, formed Egregor after shutting down their operations in October 2020.

Maze's ransomware attack efforts were far-reaching, providing the newly formed Egregor group a prominent platform to springboard from.

maze ransomware prevalence
Global reach of Maze ransomware infections - source: mcafee.com

Egregor earned its destructive reputation after the group successfully breached the Barnes & Noble and video game developers Crytek and Ubisoft in October 2020.

In the Barnes & Noble cyberattack, Egregor claimed to have accessed financial and audit information. In an internal email to its customers, Barnes & Noble stated that customer financial data was not stolen. The attack also caused temporary outages to Barnes & Noble's Nook e-readers.

In the Crytek and Ubisoft cyberattacks, the ransomware gang claimed to have exfiltrated the source codes for upcoming releases including Watchdogs: Legion and Arena of Fate. Egregor published a subset of the stolen data on their website on the dark web but the legitimacy of the source code breach was inconclusive.

Egregor is one of many cyber threats that have taken advantage of the sudden mass dependency on digital infrastructures brought about by the pandemic. Some of these threats are even specifically targeting the healthcare sector, which could have devastating consequences for Covid-19 patients.

Egregor operates on a ransomware as a service model.

What is Ransomware as a Service (Raas)?

Ransomware as a Service (RaaS) is an adoption of the Software as a Service model (SaaS). model. Criminal affiliates subscribe to the ransomware software empowering even the most novel hackers to launch devastating and highly-complex ransomware attacks.

Because ransomware affiliates are paid prodigious dividends for each successful cyberattack, they are motivated to spread the malicious software, rapidly scaling the ransomware operation over a short period of time. Egregor's swift global expansion is evidence of this successful growth strategy.

What is Egregor Ransomware?

Egregor ransomware is a form of malware that's a modification of both Sekhmet ransomware and Maze ransomware.  There are code similarities across all three ransomware variants, they also all seem to target the same victim demographic.

egregor global prevalence
Egregor ransomware victim demographic and targeted industries - Source: bleepingcomputer.com

Egregor ransomware attacks are characterized by their brutal, yet highly effective double-extortion tactics. The cybercrime group breaches sensitive data, encrypting it so that it cannot be accessed by the victim. They then publish a subset of the compromised data on the dark web as proof of the successful exfiltration.

The victim is then instructed in a ransom note to pay a set price within 3 days to prevent further personal data from being published on the criminal infested network. If the ransom price is paid before the ultimatum, full decryption of the seized data takes place.

egregor ransom note
Egregor ransom note - source: bleepingcomputer.com

How Does Egregor Ransomware Work?

Egregor ransomware, like all ransomware, is injected into a victim via a loader. This loader and the subsequently installed ransomware undergoes extensive code obfuscation to mitigate static analysis and the possibility of decryption. The Egregor payload can only be analyzed by entering the same command line used to run the payload.

After a successful breach, the Egregor ransomware manipulates the victim's firewall settings to enable Remote Desktop Protocol (RDP). The software meticulously moves throughout the victim's network, clandestinely identifying and disabling all anti-virus software.

With all defenses disarmed, the Egregor ransomware encrypts all of the breached data and inserts a ransom note titled "RECOVER-FILES.txt" into all compromised folders.

Victims are instructed to download a dark web browser to communicate with the threat actors via a dedicated landing page on the dark web.

egregor landing page dark web
Egregor victim communication landing page on the dark web

Egregor Ransomware Threat Mitigation

Because Egregor ransomware is a novel threat, cybersecurity experts are still in the process of understanding exactly how the threat operates. The following mitigation suggestions have been garnished from the analysis of security teams to date.

  • Monitor for Qakbot, Ursnif, and IceID malware infections

    Commodity malware such as Qakbot, Ursnif, and IceID have been observed to inject Egregor ransomware as a secondary payload.  If you identify these threats internally, or within your vendor network, immediate remediation is critical.
  • Educate all staff on the signs of phishing attacks.

    Phishing attacks are a common attack vector for injecting ransomware. They could create a gateway for Egregor ransomware, or any of its sister payloads - QakBot, Uesnif, and IceID malware.

    You should ensure your staff is aware of all the signs of a phishing attack and a clickjacking attack.

  • Set all anti-virus profiles to block all decoders, besides POP3 and IMAP.
  • Disable all remote access capabilities
  • Continuously monitor your security posture to strengthen all vulnerabilities.
  • Append an anti-virus profile to all security policies
  • Implement zone protection policies for all zones
  • Implement information security policies to all traffic from untrusted sources.
  • All security policies permitting traffic that contain "Service setting of ANY" should be removed

Is your business at risk of an Egregor ransomware attack?

Egregor is still just a new player in the cybercrime arena. Their initial attacks are already devastating and with such a sophisticated group of threat actors running the dark operation, the worst is still yet to come.

At UpGuard we can help you strengthen your security posture to effectively defend against ransomware attacks. Our patented cybersecurity technology also continuously monitors for vulnerabilities with third-party risk assessment software from compromised vendors.

Related posts

Learn more about the latest issues in cybersecurity.
Cybersecurity

Risk Automations: The Shift From Catch-Up to Command

Connect intelligence to system execution with Risk Automations, your new resolution layer for risk. Reduce remediation from hours to seconds - read more.
Revashni Moodley
Revashni Moodley
December 1, 2025
Cybersecurity

Shai-Hulud's True Lesson for CISOs: A Crisis of Communication

Shai-Hulud was driven by a communication crisis between security and engineering. Get a CISO's perspective on how to finally bridge this gap.
Phil Ross
Phil Ross
December 1, 2025
Cybersecurity

UpGuard’s Updated Cyber Risk Ratings

Discover UpGuard's updates to its cyber risk ratings, including enhanced risk categorization and an improved scoring algorithm.
Nicholas Sollitto
Nicholas Sollitto
July 2, 2025
Cybersecurity

Introducing UpGuard's New SIG Lite Questionnaire

Streamline your data collection and vendor risk assessments with UpGuard’s SIG Lite risk-mapped questionnaire.
Caitlin Postal
Caitlin Postal
June 26, 2025
Attack Surface Management

Typosquatting Explained with Real-World Examples

Learn more about typosquatting, what it is, how it works, and how to protect your business. Explore legal strategies, tools, and real-world examples here.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Cybersecurity

Why is Cybersecurity Important?

If your business isn't concerned about cybersecurity, it's only a matter of time before you're an attack victim. Learn why cybersecurity is important.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
All posts