Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/17/2021
06:30 PM
50%
50%

Egregor Arrests a Blow, but Ransomware Will Likely Bounce Back

Similar to previous ransomware takedowns, this disruption to the ransomware-as-a-service model will likely be short-lived, security experts say.

A collaborative law enforcement operation between French and Ukrainian authorities has led to the arrests of several suspected cybercriminals behind a major ransomware operation known as Egregor, sources stated on Wednesday.

The arrests of multiple Ukrainian nationals by Ukrainian and French authorities, which occurred last week, came as the group's data-leak site also suffered an outage, security firm Digital Shadows reports. While the one-two punch will likely hobble the operation in the short term, ransomware operations usually bounce back after a time.

Related Content:

Trickbot Tenacity Shows Infrastructure Resistant to Takedowns

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

These arrests underscore the growing pattern of law enforcement agencies' success in pursuing charges against some cybercrime gangs, says Jamie Hart, cyber threat intelligence analyst for Digital Shadows.

"Since the beginning of 2021, seeing law enforcement coordinate to take down NetWalker, take down Emotet, and now they have taken down Egregor — it shows the cooperation is improving and law enforcement are getting the hang of this," she says.

Officials' arrests of several people suspected of ties to the Egregor ransomware-as-a-service operation is the latest success. In January, the US Department of Justice arrested a Canadian national and seized almost $500,000 in cryptocurrency as part of their investigation into the Netwalker ransomware operation. A day earlier, an international alliance of law enforcement agencies shut down the Emotet botnet by taking over the infrastructure its operators used.

Yet, even with a handful of major operations disrupted, large ransomware campaigns will likely not be hobbled for long. When authorities and private industry collaborated to take down the Trickbot botnet, its attackers continued to operate, albeit at a more moderate pace. 

"These are great examples of what can happen when law enforcement and the private sector cooperate in taking down major malware actors," says Sean Gallagher, senior researcher at anti-malware firm Sophos. "That said, they're temporary. If you take down an affiliate or you take down the infrastructure provider and you don't get the developer — the only way to kill this snake is to cut off its head. So if you don't get the developers, it is going to come back."

It's unclear whether the operation against the group behind Egregor managed to get the head of that particular "snake". Last week, Ukrainian and French authorities arrested multiple suspected members of the Egregor group, which is thought to be behind attacks on several hundred organizations, according to an article in the publication, France Inter

The cooperation between law enforcement agencies bodes well for the future, says Michael Gorelik, chief technology officer for security firm Morphisec.

"We have much better sharing of information today than ever before," he says. "The fact that you have multiple vendors, including us, cooperating together and sharing information with each other and the authorities, has helped a lot. These actors make mistakes all the time, and we can capitalize on those."

Egregor has assiduously stuck to a ransomware tactic known as "double extortion," in which attackers not only encrypt critical enterprise data, but also threaten to publicly release it. Most ransomware groups have adopted the tactic, hosting data-leak sites where the stolen information is posted. 

Egregor's data-leak site, however, has experienced disruptions since early this year, according to both Digital Shadows and Sophos.

"I do know that their site is now down," Digital Shadows' Hart says. "It has been up and down since the beginning of the year, so I'm not sure if this has to do with the arrests, or if that is something that is happening for another reason."

While security experts do not expect these arrests to have a long-term impact, there is one effort that could turn ransomware unprofitable: making ransom payments illegal. The US Treasury Department has already issued a rule under the Office of Foreign Asset Control (OFAC) stating payments to sanctioned entities could violate OFAC regulations, as the funds could then be used against the United States. 

Morphisec's Gorelik points out that a broader implementation of that rule could dramatically reduce the incentive for cybercriminals to target US companies.

"Preventing the payments or having a restriction on payments — that definitely has an impact on malware operators," he says. "If you are forbidden to pay, it does not make sense to attack you."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...