Malware, Ransomware

The Egregor takedown: New tactics to battle ransomware groups show promise

Law enforcement officials from Ukraine, France and the U.S. this month cracked down on the Egregor ransomware gang, shutting down its leak website, seizing computers and arresting individuals who are allegedly linked to ransomware attacks that netted $80 million in illicit profits from more than 150 victimized companies.

Early reports indicated that the apprehended suspects are affiliates who allegedly purchased access to the Egregor ransomware-as-a-service (RaaS) on the dark web, agreeing to share any profits from their attacks with the malware’s main operators and distributors. However, a Feb. 17 press release from the Security Service of Ukraine suggests that at least one ringleader may also have been rounded up. The Google translation leaves room for interpretation, but the release states that “the members of the specified hacker group, including the organizer, were informed about the suspicion of committing criminal offenses.”

While landing the main culprits behind Egregor would constitute a major coup, often times malware ringleaders are cloistered away in countries where they cannot be touched or extradited and cooperation is scarce. That’s why – regardless of whether or not Egregor’s main developers were successfully targeted by law enforcement – the strategy of also going after affiliates represents an intriguing strategy.

Indeed, the high-profile crackdown on Egregor comes just a week or so after similar operation against the NetWalker RaaS offering, during which alleged affiliate operative Sebastien Vachon-Desjardin was arrested in Canada.

These latest actions perhaps suggest that law enforcement operatives and their partnering cyber forensic investigators and researchers have come to the conclusion that pursuing ransomware affiliates can serve as an effective deterrent strategy that also indirectly hurts the main operators’ bottom line. SC Media asked several ransomware and cybercrime experts if they believe this approach will prove to be effective.

“If law enforcement can make a big enough impact on ransomware affiliates, it could certainly act as a deterrent,” said Jamie Hart, cyber threat intelligence analyst at Digital Shadows. “Affiliates would understandably not want to be the only ones taking the fall for ransomware activity.”

“If the operators of these groups – NetWalker and Egregor – attempt to resume operations, they may be less likely to attract new affiliates due to recent arrests,” she continued. “However, it would have to get to a point where the risk of being caught outweighed the monetary reward they see in successful attacks.”

Allan Liska, senior security architect at Recorded Future, also thinks it’s a viable enforcement strategy, noting that so far there have been no new reported NetWalker attacks since the website takedown and affiliate arrest. He also suggested that affiliates who cooperate with prosecutors could help authorities land an even bigger fish later.

“Affiliates often possess sensitive information about the RaaS operators, so targeting them as well as the people who the RaaS operators buy services from – e.g. bulletproof hosting providers – puts law enforcement one step closer to the RaaS operators,” Liska said.

“These operations appear to have been thorough and effective, hopefully creating a blueprint for faster action in the future,” Liska continued. “What will be interesting to see as more information comes out about these cases is how much the affiliate model, which is core to the success of so many ransomware variants, actually left the RaaS operators more exposed to law enforcement and wound up being their downfall.”

Count Intel 471 among the firms that believe that Egregor leadership was swept up in the raid in addition to affiliate members.

A blog post published yesterday by cybercrime intelligence firm Intel 471 states that the law enforcement raid “hit Egregor hard,” noting that one associate of the ransomware “appears to have deactivated his profile on one of the most popular forums on the cybercriminal underground.”

Claiming such prominent victims as Barnes and Noble, Kmart and Ubisoft, Egregor began emerging as a significant player around the same time that the Maze ransomware gang announced it was shutting down – and experts have noted meaningful links between the two cybercrime organizations. According to Intel 471, “It is widely believed among threat intelligence professionals that a large portion of the affiliates that were attached to Maze followed the move to Egregor. Members of those affiliate programs were either raided or arrested last week.”

Mark Arena, CEO of Intel 471, said that law enforcement must continue to pursue both affiliates and ringleaders. Going after just one group isn’t enough.

“We expect that if there’s law enforcement action against affiliates of a ransomware service only, that new affiliates and customers for the ransomware service will be eventually found,” said Arena. “If there’s law enforcement action against the operators of a ransomware service only, we expect that the affiliates will move to another ransomware service.”

Time will tell how these latest moves shake up the landscape, but there is some precedent for ransomware operators bailing when the heat gets turned up. Indeed, just this month operators of the Ziggy ransomware shut down their operations, citing concern over a recent surge in law enforcement activity, which also included a takedown of the Emotet botnet.

“They also handed us their keys so we could create a decryptor enabling past victims to recover their data,” said Brett Callow, security analyst at Emsisoft, noting that about 1,000 businesses had been affected.

Another ransomware gang, Fonix, also called it quits this month due to a supposed guilty conscience. “These were largely unsuccessful ransomware strains, but the fact that these operators decided it was no longer worth it may be a telling trend, said Liska.

SC Media asked the experts if there were also indications on dark web cybercrime forums that wannabe bad actors have been spooked by all the recent law enforcement cracksdowns.

“Given the Egregor ransomware arrests are so recent, it is still unclear what the overall impact will be,” said Hart. “There doesn't seem to be much reaction publicly to the arrests in criminal forums of late, but the news is definitely on threat actors' radar. The current impact appears to be on smaller ransomware operations, but if more affiliates get skittish it could impact larger ransomware groups.”

“We’re not currently seeing too much public activity across forums in regards to Egregor arrests,” said Arena. But “that is not unexpected – both operators and affiliates typically keep a low profile in public discussions in order not to associate themselves with particular criminal actions.”

Liska said the NetWalker and Egregor takedowns resulted in some limited forum chatter, but it was the takedown of Emotet that actually generated lot of dark web discussion. “Many in the underground thought they were untouchable, so there has been a lot of speculation about what the takedown means.”

So does the recent string of wins against Emotet, NetWalker and Egregor signify a more aggressive posture on the part of law enforcement, or is the convergence of these events largely a coincidence? It’s hard to say.

“Cybercrime investigations are typically long, protracted and involve significant international coordination and liaison,” said Arena. “The financial and business impact of ransomware to organizations has also significantly increased over the last year or two and we believe that this law enforcement action is in response to this rather than any kind of coordinated action against multiple ransomware groups at the same time.”

Regardless, “To see so many arrests made in a short period of time… is unusual and a positive development,” said Callow, noting a 2018 statistic from the think tank Third Way that placed the estimated effective enforcement rate of cybercrime incidents (reported and unreported) at roughly 0.05%. “Which means ransomware groups have been operating with almost complete impunity.”

But perhaps that is changing, if only incrementally.

“The recent successes by law enforcement has shown that global cooperation has proven effective against some of these high-profile groups,” said Hart. “It is realistically possible that continued collaboration and focus on cybercrime could impact the overall landscape.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.