Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/17/2021
06:30 PM
50%
50%

Egregor Arrests a Blow, but Ransomware Will Likely Bounce Back

Similar to previous ransomware takedowns, this disruption to the ransomware-as-a-service model will likely be short-lived, security experts say.

A collaborative law enforcement operation between French and Ukrainian authorities has led to the arrests of several suspected cybercriminals behind a major ransomware operation known as Egregor, sources stated on Wednesday.

The arrests of multiple Ukrainian nationals by Ukrainian and French authorities, which occurred last week, came as the group's data-leak site also suffered an outage, security firm Digital Shadows reports. While the one-two punch will likely hobble the operation in the short term, ransomware operations usually bounce back after a time.

Related Content:

Trickbot Tenacity Shows Infrastructure Resistant to Takedowns

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

These arrests underscore the growing pattern of law enforcement agencies' success in pursuing charges against some cybercrime gangs, says Jamie Hart, cyber threat intelligence analyst for Digital Shadows.

"Since the beginning of 2021, seeing law enforcement coordinate to take down NetWalker, take down Emotet, and now they have taken down Egregor — it shows the cooperation is improving and law enforcement are getting the hang of this," she says.

Officials' arrests of several people suspected of ties to the Egregor ransomware-as-a-service operation is the latest success. In January, the US Department of Justice arrested a Canadian national and seized almost $500,000 in cryptocurrency as part of their investigation into the Netwalker ransomware operation. A day earlier, an international alliance of law enforcement agencies shut down the Emotet botnet by taking over the infrastructure its operators used.

Yet, even with a handful of major operations disrupted, large ransomware campaigns will likely not be hobbled for long. When authorities and private industry collaborated to take down the Trickbot botnet, its attackers continued to operate, albeit at a more moderate pace. 

"These are great examples of what can happen when law enforcement and the private sector cooperate in taking down major malware actors," says Sean Gallagher, senior researcher at anti-malware firm Sophos. "That said, they're temporary. If you take down an affiliate or you take down the infrastructure provider and you don't get the developer — the only way to kill this snake is to cut off its head. So if you don't get the developers, it is going to come back."

It's unclear whether the operation against the group behind Egregor managed to get the head of that particular "snake". Last week, Ukrainian and French authorities arrested multiple suspected members of the Egregor group, which is thought to be behind attacks on several hundred organizations, according to an article in the publication, France Inter

The cooperation between law enforcement agencies bodes well for the future, says Michael Gorelik, chief technology officer for security firm Morphisec.

"We have much better sharing of information today than ever before," he says. "The fact that you have multiple vendors, including us, cooperating together and sharing information with each other and the authorities, has helped a lot. These actors make mistakes all the time, and we can capitalize on those."

Egregor has assiduously stuck to a ransomware tactic known as "double extortion," in which attackers not only encrypt critical enterprise data, but also threaten to publicly release it. Most ransomware groups have adopted the tactic, hosting data-leak sites where the stolen information is posted. 

Egregor's data-leak site, however, has experienced disruptions since early this year, according to both Digital Shadows and Sophos.

"I do know that their site is now down," Digital Shadows' Hart says. "It has been up and down since the beginning of the year, so I'm not sure if this has to do with the arrests, or if that is something that is happening for another reason."

While security experts do not expect these arrests to have a long-term impact, there is one effort that could turn ransomware unprofitable: making ransom payments illegal. The US Treasury Department has already issued a rule under the Office of Foreign Asset Control (OFAC) stating payments to sanctioned entities could violate OFAC regulations, as the funds could then be used against the United States. 

Morphisec's Gorelik points out that a broader implementation of that rule could dramatically reduce the incentive for cybercriminals to target US companies.

"Preventing the payments or having a restriction on payments — that definitely has an impact on malware operators," he says. "If you are forbidden to pay, it does not make sense to attack you."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...