Egregor Ransomware Affiliates Arrested in Ukraine

After the Maze ransomware group announced “retirement”, it was widely speculated among security researchers that the group rebranded to a better version of itself which became the Egregor ransomware. The tracking of the Egregor ransomware by different security firms and organizations lists them at the top of activity in Q4, and the combined Maze and Egregor ransomware collections top at least $40 million, making it one of the most profitable threat groups in the world.

Egregor Ransomware Members Arrested

Fortunately, members of the Egregor ransomware organization were arrested in Ukraine this week. An investigation is still developing. The affiliates helped the group with intrusion, logistical, and financial support. Egregor’s data leak site, which publishes victim information as a double-extortion method to secure ransom payments, has been offline since Friday. In addition to the site, their command and control (C2) server is also offline.

Law enforcement and international agencies have been busy as of late. With the recent disruptions to Emotet, NetWalker, and U-Admin services, the threat landscape is surely shifting. It’s important to note the eradication of these threat groups all at once is not very likely considering the affiliates are often spread throughout many different locations or countries.

Although the apprehension of these individuals and the dismantled infrastructure of threat groups is excellent for organizations across the globe, it may be short-lived. Many other threat actors will look to take advantage of the gap created. In addition to the lurking threat actors, new vulnerabilities are discovered daily, and there are still numerous organizations that do not have the capacity to keep up with these changes and secure their environment correctly.

This is why investing in a SOC as a Service (SOCaaS) from a firm like SpearTip is a great way to successfully combat threat actors and protect your organization for the future. The SOC runs 24/7 and is fully staffed with certified security engineers and analysts. Our developers created ShadowSpear® to monitor endpoints and neutralize threats. It’s an instantly deployable program with three modules for complete protection of your network. Identify advanced threats. Neutralize invasive malware. Counter your adversary.

Most ransomware attacks happen due to end users clicking malicious links or attachments. ShadowSpear® identifies threats with constant email monitoring and will stop malware executables from running on your machines if they are clicked on. Relying on technology can’t completely guarantee the safety of your networks, so our engineers monitoring networks every second of the day provide an added layer of defense to stop threats and react in real-time.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.