Egregor Attack: The Importance of Accurate Incident Investigation

According to BleepingComputer, Crytek, a game developing and publishing company, confirmed they had their network breached by an unknown ransomware group that encrypted systems and stole files containing customers’ personal information. Later investigation proved the unknown group to be Egregor ransomware.

Details of Egregor Ransomware Attack

Crytek sent out breach notification letters to impacted individuals explaining the company was the victim of a ransomware attack by unknown cybercriminals. Additionally, they further explain that certain data had been encrypted and stolen from their network. They responded immediately, preventing further encryption of their systems, securing their environment, and launching an internal and external investigation into the breach.

Crytek stated, “Based on our investigation, the information in some cases included individuals’ first and last name, job title, company name, email, business address, phone number and country.”

Crytek explains that downloading the leaked data would take a long time and it discourages people from attempting to download the stolen data because of the high risk of their systems being compromised by the malware embedded in the documents. This may be true for the average user with no experience in collecting leaked data, but for the threat actors who specialize in obtaining it, this would not deter them at all. When a breach occurs, it’s important to have a security team who can pinpoint exactly what happened.

In this situation, SpearTip’s engineers would conduct a thorough investigation enabling your organization to relay the right information to affected customers. It’s crucial to be specific and precise because it’s your clients’ data that has been leaked and your ability to retain them as a customer is what increases your business profit.

Files from the Crytek systems were encrypted and renamed to include ‘.CRYTEK’ extension.  Egregor revealed stolen data on their data leak site including WarFace files and network operations information.

Egregor attacked several well-known companies in the past including Barnes and Noble, Kmart, Cencosud, Randstad, and Vancouver’s TransLink metro system.

Several Egregor ransomware group members were arrested in Ukraine after a French and Ukrainian law enforcement joint operation in February 2021. The French authorities were able to trace the ransom payments to individuals in Ukraine and arrested members who were responsible for implementing the ransomware.

In September 2020, Egregor began its ransomware-as-a-service operations using experienced threat actors from the defunct Maze ransomware group.

SpearTip’s highly technical engineers enable our 24/7 Security Operations Center as a Service to continuously monitor your organization’s networks. This 24/7 presence allows us to continually investigate incidents with precision to provide your team with the answers they need to progress past an attack, recover networks, and explain the incident with accuracy to any customers who may have been affected.

The last thing you want to do in a crisis situation is provide information to your customers that isn’t accurate. SpearTip’s team ensures you’re completely transparent when disclosing information and can protect your networks proactively with our ShadowSpear platform. Although our incident response practices are beneficial after a breach, being proactive is the best way to avoid the breach in the first place. We’ll find the weak points in your systems with our assessments and provide actionable solutions to improve your organization’s security posture.

In this proactive protection, ShadowSpear allows your team to have a direct connection with our engineers as well as a completely transparent view of your risk profile and potential threats in real time.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.