Egregor Arrests a Blow, but Ransomware Will Likely Bounce Back

Similar to previous ransomware takedowns, this disruption to the ransomware-as-a-service model will likely be short-lived, security experts say.

4 Min Read

A collaborative law enforcement operation between French and Ukrainian authorities has led to the arrests of several suspected cybercriminals behind a major ransomware operation known as Egregor, sources stated on Wednesday.

The arrests of multiple Ukrainian nationals by Ukrainian and French authorities, which occurred last week, came as the group's data-leak site also suffered an outage, security firm Digital Shadows reports. While the one-two punch will likely hobble the operation in the short term, ransomware operations usually bounce back after a time.

These arrests underscore the growing pattern of law enforcement agencies' success in pursuing charges against some cybercrime gangs, says Jamie Hart, cyber threat intelligence analyst for Digital Shadows.

"Since the beginning of 2021, seeing law enforcement coordinate to take down NetWalker, take down Emotet, and now they have taken down Egregor — it shows the cooperation is improving and law enforcement are getting the hang of this," she says.

Officials' arrests of several people suspected of ties to the Egregor ransomware-as-a-service operation is the latest success. In January, the US Department of Justice arrested a Canadian national and seized almost $500,000 in cryptocurrency as part of their investigation into the Netwalker ransomware operation. A day earlier, an international alliance of law enforcement agencies shut down the Emotet botnet by taking over the infrastructure its operators used.

Yet, even with a handful of major operations disrupted, large ransomware campaigns will likely not be hobbled for long. When authorities and private industry collaborated to take down the Trickbot botnet, its attackers continued to operate, albeit at a more moderate pace. 

"These are great examples of what can happen when law enforcement and the private sector cooperate in taking down major malware actors," says Sean Gallagher, senior researcher at anti-malware firm Sophos. "That said, they're temporary. If you take down an affiliate or you take down the infrastructure provider and you don't get the developer — the only way to kill this snake is to cut off its head. So if you don't get the developers, it is going to come back."

It's unclear whether the operation against the group behind Egregor managed to get the head of that particular "snake". Last week, Ukrainian and French authorities arrested multiple suspected members of the Egregor group, which is thought to be behind attacks on several hundred organizations, according to an article in the publication, France Inter

The cooperation between law enforcement agencies bodes well for the future, says Michael Gorelik, chief technology officer for security firm Morphisec.

"We have much better sharing of information today than ever before," he says. "The fact that you have multiple vendors, including us, cooperating together and sharing information with each other and the authorities, has helped a lot. These actors make mistakes all the time, and we can capitalize on those."

Egregor has assiduously stuck to a ransomware tactic known as "double extortion," in which attackers not only encrypt critical enterprise data, but also threaten to publicly release it. Most ransomware groups have adopted the tactic, hosting data-leak sites where the stolen information is posted. 

Egregor's data-leak site, however, has experienced disruptions since early this year, according to both Digital Shadows and Sophos.

"I do know that their site is now down," Digital Shadows' Hart says. "It has been up and down since the beginning of the year, so I'm not sure if this has to do with the arrests, or if that is something that is happening for another reason."

While security experts do not expect these arrests to have a long-term impact, there is one effort that could turn ransomware unprofitable: making ransom payments illegal. The US Treasury Department has already issued a rule under the Office of Foreign Asset Control (OFAC) stating payments to sanctioned entities could violate OFAC regulations, as the funds could then be used against the United States. 

Morphisec's Gorelik points out that a broader implementation of that rule could dramatically reduce the incentive for cybercriminals to target US companies.

"Preventing the payments or having a restriction on payments — that definitely has an impact on malware operators," he says. "If you are forbidden to pay, it does not make sense to attack you."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights