Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM

Egregor Arrests a Blow, but Ransomware Will Likely Bounce Back

Similar to previous ransomware takedowns, this disruption to the ransomware-as-a-service model will likely be short-lived, security experts say.

A collaborative law enforcement operation between French and Ukrainian authorities has led to the arrests of several suspected cybercriminals behind a major ransomware operation known as Egregor, sources stated on Wednesday.

The arrests of multiple Ukrainian nationals by Ukrainian and French authorities, which occurred last week, came as the group's data-leak site also suffered an outage, security firm Digital Shadows reports. While the one-two punch will likely hobble the operation in the short term, ransomware operations usually bounce back after a time.

Related Content:

Trickbot Tenacity Shows Infrastructure Resistant to Takedowns

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

These arrests underscore the growing pattern of law enforcement agencies' success in pursuing charges against some cybercrime gangs, says Jamie Hart, cyber threat intelligence analyst for Digital Shadows.

"Since the beginning of 2021, seeing law enforcement coordinate to take down NetWalker, take down Emotet, and now they have taken down Egregor — it shows the cooperation is improving and law enforcement are getting the hang of this," she says.

Officials' arrests of several people suspected of ties to the Egregor ransomware-as-a-service operation is the latest success. In January, the US Department of Justice arrested a Canadian national and seized almost $500,000 in cryptocurrency as part of their investigation into the Netwalker ransomware operation. A day earlier, an international alliance of law enforcement agencies shut down the Emotet botnet by taking over the infrastructure its operators used.

Yet, even with a handful of major operations disrupted, large ransomware campaigns will likely not be hobbled for long. When authorities and private industry collaborated to take down the Trickbot botnet, its attackers continued to operate, albeit at a more moderate pace. 

"These are great examples of what can happen when law enforcement and the private sector cooperate in taking down major malware actors," says Sean Gallagher, senior researcher at anti-malware firm Sophos. "That said, they're temporary. If you take down an affiliate or you take down the infrastructure provider and you don't get the developer — the only way to kill this snake is to cut off its head. So if you don't get the developers, it is going to come back."

It's unclear whether the operation against the group behind Egregor managed to get the head of that particular "snake". Last week, Ukrainian and French authorities arrested multiple suspected members of the Egregor group, which is thought to be behind attacks on several hundred organizations, according to an article in the publication, France Inter

The cooperation between law enforcement agencies bodes well for the future, says Michael Gorelik, chief technology officer for security firm Morphisec.

"We have much better sharing of information today than ever before," he says. "The fact that you have multiple vendors, including us, cooperating together and sharing information with each other and the authorities, has helped a lot. These actors make mistakes all the time, and we can capitalize on those."

Egregor has assiduously stuck to a ransomware tactic known as "double extortion," in which attackers not only encrypt critical enterprise data, but also threaten to publicly release it. Most ransomware groups have adopted the tactic, hosting data-leak sites where the stolen information is posted. 

Egregor's data-leak site, however, has experienced disruptions since early this year, according to both Digital Shadows and Sophos.

"I do know that their site is now down," Digital Shadows' Hart says. "It has been up and down since the beginning of the year, so I'm not sure if this has to do with the arrests, or if that is something that is happening for another reason."

While security experts do not expect these arrests to have a long-term impact, there is one effort that could turn ransomware unprofitable: making ransom payments illegal. The US Treasury Department has already issued a rule under the Office of Foreign Asset Control (OFAC) stating payments to sanctioned entities could violate OFAC regulations, as the funds could then be used against the United States. 

Morphisec's Gorelik points out that a broader implementation of that rule could dramatically reduce the incentive for cybercriminals to target US companies.

"Preventing the payments or having a restriction on payments — that definitely has an impact on malware operators," he says. "If you are forbidden to pay, it does not make sense to attack you."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...