Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM

Egregor Arrests a Blow, but Ransomware Will Likely Bounce Back

Similar to previous ransomware takedowns, this disruption to the ransomware-as-a-service model will likely be short-lived, security experts say.

A collaborative law enforcement operation between French and Ukrainian authorities has led to the arrests of several suspected cybercriminals behind a major ransomware operation known as Egregor, sources stated on Wednesday.

The arrests of multiple Ukrainian nationals by Ukrainian and French authorities, which occurred last week, came as the group's data-leak site also suffered an outage, security firm Digital Shadows reports. While the one-two punch will likely hobble the operation in the short term, ransomware operations usually bounce back after a time.

Related Content:

Trickbot Tenacity Shows Infrastructure Resistant to Takedowns

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

These arrests underscore the growing pattern of law enforcement agencies' success in pursuing charges against some cybercrime gangs, says Jamie Hart, cyber threat intelligence analyst for Digital Shadows.

"Since the beginning of 2021, seeing law enforcement coordinate to take down NetWalker, take down Emotet, and now they have taken down Egregor — it shows the cooperation is improving and law enforcement are getting the hang of this," she says.

Officials' arrests of several people suspected of ties to the Egregor ransomware-as-a-service operation is the latest success. In January, the US Department of Justice arrested a Canadian national and seized almost $500,000 in cryptocurrency as part of their investigation into the Netwalker ransomware operation. A day earlier, an international alliance of law enforcement agencies shut down the Emotet botnet by taking over the infrastructure its operators used.

Yet, even with a handful of major operations disrupted, large ransomware campaigns will likely not be hobbled for long. When authorities and private industry collaborated to take down the Trickbot botnet, its attackers continued to operate, albeit at a more moderate pace. 

"These are great examples of what can happen when law enforcement and the private sector cooperate in taking down major malware actors," says Sean Gallagher, senior researcher at anti-malware firm Sophos. "That said, they're temporary. If you take down an affiliate or you take down the infrastructure provider and you don't get the developer — the only way to kill this snake is to cut off its head. So if you don't get the developers, it is going to come back."

It's unclear whether the operation against the group behind Egregor managed to get the head of that particular "snake". Last week, Ukrainian and French authorities arrested multiple suspected members of the Egregor group, which is thought to be behind attacks on several hundred organizations, according to an article in the publication, France Inter

The cooperation between law enforcement agencies bodes well for the future, says Michael Gorelik, chief technology officer for security firm Morphisec.

"We have much better sharing of information today than ever before," he says. "The fact that you have multiple vendors, including us, cooperating together and sharing information with each other and the authorities, has helped a lot. These actors make mistakes all the time, and we can capitalize on those."

Egregor has assiduously stuck to a ransomware tactic known as "double extortion," in which attackers not only encrypt critical enterprise data, but also threaten to publicly release it. Most ransomware groups have adopted the tactic, hosting data-leak sites where the stolen information is posted. 

Egregor's data-leak site, however, has experienced disruptions since early this year, according to both Digital Shadows and Sophos.

"I do know that their site is now down," Digital Shadows' Hart says. "It has been up and down since the beginning of the year, so I'm not sure if this has to do with the arrests, or if that is something that is happening for another reason."

While security experts do not expect these arrests to have a long-term impact, there is one effort that could turn ransomware unprofitable: making ransom payments illegal. The US Treasury Department has already issued a rule under the Office of Foreign Asset Control (OFAC) stating payments to sanctioned entities could violate OFAC regulations, as the funds could then be used against the United States. 

Morphisec's Gorelik points out that a broader implementation of that rule could dramatically reduce the incentive for cybercriminals to target US companies.

"Preventing the payments or having a restriction on payments — that definitely has an impact on malware operators," he says. "If you are forbidden to pay, it does not make sense to attack you."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.