OSINT - AN ANALYSIS OF THE EGREGOR RANSOMWARE
OSINT - AN ANALYSIS OF THE EGREGOR RANSOMWARE
AI Analysis
Technical Summary
Egregor ransomware is a malware strain analyzed through open-source intelligence (OSINT) and linked to the ransomware families such as REvil (Sodinokibi) and GandCrab, indicating it shares technical traits or lineage with these notorious ransomware variants. Egregor operates as a ransomware-as-a-service (RaaS) platform, typically deployed by threat actors to encrypt victim files and demand ransom payments in cryptocurrency. The malware is known for its double extortion tactics, where attackers not only encrypt data but also exfiltrate sensitive information to pressure victims into paying. Although no specific affected versions or patches are listed, Egregor’s modus operandi involves exploiting vulnerabilities or weak security postures to gain initial access, often through phishing, RDP brute forcing, or exploiting unpatched systems. The ransomware then propagates laterally within networks, encrypting files and leaving ransom notes demanding payment. The analysis indicates a medium severity threat level, with a threat level and analysis score of 2, suggesting moderate sophistication and impact. No known exploits in the wild are documented in this data, but the association with high-profile ransomware families implies a significant risk. The lack of detailed technical indicators or CWEs limits precise attribution of vulnerabilities exploited, but the linkage to REvil and GandCrab suggests similar attack vectors and payload behaviors. Overall, Egregor represents a persistent ransomware threat leveraging extortion techniques to disrupt organizational operations and compromise data confidentiality and integrity.
Potential Impact
For European organizations, Egregor ransomware poses a substantial risk to data confidentiality, integrity, and availability. The double extortion tactic increases the potential damage by threatening public exposure of sensitive data, which can lead to reputational harm, regulatory penalties under GDPR, and financial losses. Critical sectors such as finance, healthcare, manufacturing, and government are particularly vulnerable due to their reliance on continuous data availability and the sensitivity of their information. The ransomware’s ability to propagate laterally can cause widespread disruption across enterprise networks, potentially halting operations and causing significant downtime. The medium severity rating reflects a moderate but credible threat that can escalate if initial access vectors are exploited successfully. European organizations with insufficient patch management, weak remote access controls, or inadequate network segmentation are at higher risk. Additionally, the ransomware’s association with known families like REvil and GandCrab, which have targeted European entities before, underscores the relevance of this threat to the region.
Mitigation Recommendations
To mitigate the risk posed by Egregor ransomware, European organizations should implement targeted controls beyond generic advice: 1) Enforce strict network segmentation to limit lateral movement in case of compromise. 2) Harden remote access by disabling unnecessary RDP services, enforcing multi-factor authentication (MFA), and monitoring for brute force attempts. 3) Conduct regular phishing awareness training tailored to the latest social engineering tactics used by ransomware groups. 4) Implement robust data backup strategies with offline or immutable backups to ensure recovery without paying ransom. 5) Deploy endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors such as rapid file encryption and unusual process execution. 6) Monitor network traffic for signs of data exfiltration, as Egregor employs double extortion. 7) Maintain up-to-date patching of operating systems and applications, focusing on vulnerabilities exploited by REvil and GandCrab families. 8) Establish incident response plans specifically addressing ransomware scenarios, including legal and communication strategies to handle extortion demands. These measures, combined with continuous threat intelligence monitoring for emerging Egregor indicators, will enhance resilience against this ransomware threat.
Affected Countries
Germany, France, United Kingdom, Italy, Netherlands, Belgium, Spain, Poland
Indicators of Compromise
- url: https://aes.one/files/d/p43/r1jv9967jd1i3kik9knctlok5/35f35ecea4d8a142/
- url: https://aes.one/files/d/pc3/2iopi0o8coob22n8s60pn6b7ps/b6bbf78b901c1fdf/
- url: https://file.io/WmCH77xcKmbJ
- ip: 162.247.74.74
- link: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf
- text: Egregor is considered to be one of the most prolific ransomware threat groups. Yet it gained this reputation in a very short time due to its uncompromising double extortion methodology.In this report, we will provide a detailed and anonymized coverage of Egregor’s tactics, techniques, and procedures (TTPs) following an incident response activity that was conducted at the end of November 2020. The goal of this report is to shed light on some very different techniques for initial access, persistence, and exfiltration than what is typically reported on with respect to the Egregor group. In this report, you will not find any indication of Qbot or Cobalt Strike beacons.Though we are not going to provide an exact attribution, you will find evidence in the report that may indicate a connection to the Revil group. We will provide evidence such as upload accounts, download links, and services that can result in additional community wide research which hopefully can lead to further conclusions.We invite the research community to share additional insights that may correlate with the published IOCs.
- file: EGREGOR REPORT WEB FINAL.pdf
- hash: d0ab713f502d01ddf73694276f0199db
- file: Salsa.dll
- text: Malicious
- hash: d20cd3f8f0ecc34fa400edf72687b215
- file: Salsa.dll
- text: Malicious
- hash: 3fadbe9038c51c12014818f172e43a7d
- file: 777.exe
- email: tacok79159@tjuln.com
- hash: 3fadbe9038c51c12014818f172e43a7d
- hash: a8d17bd6fcee5b9ce9287f2c6742377b0c24d9d7
- hash: 8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c
- datetime: 2021-02-06T03:45:11+00:00
- link: https://www.virustotal.com/gui/file/8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c/detection/f-8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c-1612583111
- text: 20/69
- file: 32x.exe
- hash: 365aa18cadc5b80a9b5ca5950690c7f8
- file: AnyDesk.exe
- hash: 00283740140dbe5c227bd15733d7a3b6
- file: Supremo.exe
- hash: b04f9b4feac14cff959718b69b7bbeaf
- file: MEGAsyncSetup64.exe
- file: Netscan.exe
- hash: 7af4a442683662b020fd391e26666958
- file: Chromesetup.exe
- hash: fabe184f6721e640474e1497c69ffc98
- file: 7z1900.exe
- hash: 27304b246c7d5b4e149124d5f93c5b01
- file: PsExec.exe
- hash: f41a1afc4cfb95f35cd92da98d90c27b
- file: sdelete.exe
- hash: 365aa18cadc5b80a9b5ca5950690c7f8
- hash: 16c33a2907264382715fba2061e4ff803a41c629
- hash: 4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97
- datetime: 2021-02-11T19:56:31+00:00
- link: https://www.virustotal.com/gui/file/4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97/detection/f-4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97-1613073391
- text: 0/69
- hash: fabe184f6721e640474e1497c69ffc98
- hash: 2f23a6389470db5d0dd2095d64939657d8d3ea9d
- hash: 759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80
- datetime: 2021-02-12T17:18:27+00:00
- link: https://www.virustotal.com/gui/file/759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80/detection/f-759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80-1613150307
- text: 0/68
- hash: 27304b246c7d5b4e149124d5f93c5b01
- hash: e50d9e3bd91908e13a26b3e23edeaf577fb3a095
- hash: 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
- datetime: 2021-02-12T10:07:36+00:00
- link: https://www.virustotal.com/gui/file/3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef/detection/f-3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef-1613124456
- text: 1/70
- hash: 00283740140dbe5c227bd15733d7a3b6
- hash: a5e9003ff1514ef74fe8e39cb753cbc4f5b0b687
- hash: 5944ff3d734b8d46394a4ca2a89db49bc727f6e2f6fc24142f489e5c5211d20b
- datetime: 2021-02-11T19:53:32+00:00
- link: https://www.virustotal.com/gui/file/5944ff3d734b8d46394a4ca2a89db49bc727f6e2f6fc24142f489e5c5211d20b/detection/f-5944ff3d734b8d46394a4ca2a89db49bc727f6e2f6fc24142f489e5c5211d20b-1613073212
- text: 0/69
- datetime: 2021-02-12T19:08:32+00:00
- link: https://www.virustotal.com/gui/file/8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c/detection/f-8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c-1613156912
- text: 35/67
- hash: 7af4a442683662b020fd391e26666958
- hash: 226155d4b86497acd3d34f33e93f3d94ef176d0b
- hash: 3592a1d10e880c1a3b8d62d76dc57bd054176c12f77a1b2a3d46721a89a414e9
- datetime: 2021-02-12T18:23:43+00:00
- link: https://www.virustotal.com/gui/file/3592a1d10e880c1a3b8d62d76dc57bd054176c12f77a1b2a3d46721a89a414e9/detection/f-3592a1d10e880c1a3b8d62d76dc57bd054176c12f77a1b2a3d46721a89a414e9-1613154223
- text: 0/70
- hash: f41a1afc4cfb95f35cd92da98d90c27b
- hash: b9c162e7817d7d99720fd97d9f7cab342dd2812a
- hash: 746de8e02f1e64a707ce060a7d851b5d014698ca8692bd7aa945b40e06b01a07
- datetime: 2021-02-02T20:53:27+00:00
- link: https://www.virustotal.com/gui/file/746de8e02f1e64a707ce060a7d851b5d014698ca8692bd7aa945b40e06b01a07/detection/f-746de8e02f1e64a707ce060a7d851b5d014698ca8692bd7aa945b40e06b01a07-1612299207
- text: 0/70
- hash: b04f9b4feac14cff959718b69b7bbeaf
- hash: f92394246a01e29d001d995c8a752374743efde4
- hash: 25739ec9823c7483811b2c51f8de4836dbaf5e94ee839555fe13c8076dd0b114
- datetime: 2021-02-11T20:01:17+00:00
- link: https://www.virustotal.com/gui/file/25739ec9823c7483811b2c51f8de4836dbaf5e94ee839555fe13c8076dd0b114/detection/f-25739ec9823c7483811b2c51f8de4836dbaf5e94ee839555fe13c8076dd0b114-1613073677
- text: 0/68
OSINT - AN ANALYSIS OF THE EGREGOR RANSOMWARE
Description
OSINT - AN ANALYSIS OF THE EGREGOR RANSOMWARE
AI-Powered Analysis
Technical Analysis
Egregor ransomware is a malware strain analyzed through open-source intelligence (OSINT) and linked to the ransomware families such as REvil (Sodinokibi) and GandCrab, indicating it shares technical traits or lineage with these notorious ransomware variants. Egregor operates as a ransomware-as-a-service (RaaS) platform, typically deployed by threat actors to encrypt victim files and demand ransom payments in cryptocurrency. The malware is known for its double extortion tactics, where attackers not only encrypt data but also exfiltrate sensitive information to pressure victims into paying. Although no specific affected versions or patches are listed, Egregor’s modus operandi involves exploiting vulnerabilities or weak security postures to gain initial access, often through phishing, RDP brute forcing, or exploiting unpatched systems. The ransomware then propagates laterally within networks, encrypting files and leaving ransom notes demanding payment. The analysis indicates a medium severity threat level, with a threat level and analysis score of 2, suggesting moderate sophistication and impact. No known exploits in the wild are documented in this data, but the association with high-profile ransomware families implies a significant risk. The lack of detailed technical indicators or CWEs limits precise attribution of vulnerabilities exploited, but the linkage to REvil and GandCrab suggests similar attack vectors and payload behaviors. Overall, Egregor represents a persistent ransomware threat leveraging extortion techniques to disrupt organizational operations and compromise data confidentiality and integrity.
Potential Impact
For European organizations, Egregor ransomware poses a substantial risk to data confidentiality, integrity, and availability. The double extortion tactic increases the potential damage by threatening public exposure of sensitive data, which can lead to reputational harm, regulatory penalties under GDPR, and financial losses. Critical sectors such as finance, healthcare, manufacturing, and government are particularly vulnerable due to their reliance on continuous data availability and the sensitivity of their information. The ransomware’s ability to propagate laterally can cause widespread disruption across enterprise networks, potentially halting operations and causing significant downtime. The medium severity rating reflects a moderate but credible threat that can escalate if initial access vectors are exploited successfully. European organizations with insufficient patch management, weak remote access controls, or inadequate network segmentation are at higher risk. Additionally, the ransomware’s association with known families like REvil and GandCrab, which have targeted European entities before, underscores the relevance of this threat to the region.
Mitigation Recommendations
To mitigate the risk posed by Egregor ransomware, European organizations should implement targeted controls beyond generic advice: 1) Enforce strict network segmentation to limit lateral movement in case of compromise. 2) Harden remote access by disabling unnecessary RDP services, enforcing multi-factor authentication (MFA), and monitoring for brute force attempts. 3) Conduct regular phishing awareness training tailored to the latest social engineering tactics used by ransomware groups. 4) Implement robust data backup strategies with offline or immutable backups to ensure recovery without paying ransom. 5) Deploy endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors such as rapid file encryption and unusual process execution. 6) Monitor network traffic for signs of data exfiltration, as Egregor employs double extortion. 7) Maintain up-to-date patching of operating systems and applications, focusing on vulnerabilities exploited by REvil and GandCrab families. 8) Establish incident response plans specifically addressing ransomware scenarios, including legal and communication strategies to handle extortion demands. These measures, combined with continuous threat intelligence monitoring for emerging Egregor indicators, will enhance resilience against this ransomware threat.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 2
- Uuid
- 3dd18ce2-fa55-4f0d-b88e-7d4144cb0dcb
- Original Timestamp
- 1613399927
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://aes.one/files/d/p43/r1jv9967jd1i3kik9knctlok5/35f35ecea4d8a142/ | — | |
urlhttps://aes.one/files/d/pc3/2iopi0o8coob22n8s60pn6b7ps/b6bbf78b901c1fdf/ | — | |
urlhttps://file.io/WmCH77xcKmbJ | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip162.247.74.74 | The local IP was assigned to a Tor exit node; which belongs to a Calyx Institute. |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf | — | |
linkhttps://www.virustotal.com/gui/file/8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c/detection/f-8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c-1612583111 | — | |
linkhttps://www.virustotal.com/gui/file/4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97/detection/f-4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97-1613073391 | — | |
linkhttps://www.virustotal.com/gui/file/759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80/detection/f-759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80-1613150307 | — | |
linkhttps://www.virustotal.com/gui/file/3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef/detection/f-3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef-1613124456 | — | |
linkhttps://www.virustotal.com/gui/file/5944ff3d734b8d46394a4ca2a89db49bc727f6e2f6fc24142f489e5c5211d20b/detection/f-5944ff3d734b8d46394a4ca2a89db49bc727f6e2f6fc24142f489e5c5211d20b-1613073212 | — | |
linkhttps://www.virustotal.com/gui/file/8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c/detection/f-8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c-1613156912 | — | |
linkhttps://www.virustotal.com/gui/file/3592a1d10e880c1a3b8d62d76dc57bd054176c12f77a1b2a3d46721a89a414e9/detection/f-3592a1d10e880c1a3b8d62d76dc57bd054176c12f77a1b2a3d46721a89a414e9-1613154223 | — | |
linkhttps://www.virustotal.com/gui/file/746de8e02f1e64a707ce060a7d851b5d014698ca8692bd7aa945b40e06b01a07/detection/f-746de8e02f1e64a707ce060a7d851b5d014698ca8692bd7aa945b40e06b01a07-1612299207 | — | |
linkhttps://www.virustotal.com/gui/file/25739ec9823c7483811b2c51f8de4836dbaf5e94ee839555fe13c8076dd0b114/detection/f-25739ec9823c7483811b2c51f8de4836dbaf5e94ee839555fe13c8076dd0b114-1613073677 | — |
Text
| Value | Description | Copy |
|---|---|---|
textEgregor is considered to be one of the most prolific ransomware threat groups. Yet it gained this reputation in a very short time due to its uncompromising double extortion methodology.In this report, we will provide a detailed and anonymized coverage of Egregor’s tactics, techniques, and procedures (TTPs) following an incident response activity that was conducted at the end of November 2020. The goal of this report is to shed light on some very different techniques for initial access, persistence, and exfiltration than what is typically reported on with respect to the Egregor group. In this report, you will not find any indication of Qbot or Cobalt Strike beacons.Though we are not going to provide an exact attribution, you will find evidence in the report that may indicate a connection to the Revil group. We will provide evidence such as upload accounts, download links, and services that can result in additional community wide research which hopefully can lead to further conclusions.We invite the research community to share additional insights that may correlate with the published IOCs. | — | |
textMalicious | — | |
textMalicious | — | |
text20/69 | — | |
text0/69 | — | |
text0/68 | — | |
text1/70 | — | |
text0/69 | — | |
text35/67 | — | |
text0/70 | — | |
text0/70 | — | |
text0/68 | — |
File
| Value | Description | Copy |
|---|---|---|
fileEGREGOR REPORT WEB FINAL.pdf | — | |
fileSalsa.dll | — | |
fileSalsa.dll | — | |
file777.exe | — | |
file32x.exe | — | |
fileAnyDesk.exe | — | |
fileSupremo.exe | — | |
fileMEGAsyncSetup64.exe | — | |
fileNetscan.exe | — | |
fileChromesetup.exe | — | |
file7z1900.exe | — | |
filePsExec.exe | — | |
filesdelete.exe | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashd0ab713f502d01ddf73694276f0199db | — | |
hashd20cd3f8f0ecc34fa400edf72687b215 | — | |
hash3fadbe9038c51c12014818f172e43a7d | — | |
hash3fadbe9038c51c12014818f172e43a7d | — | |
hasha8d17bd6fcee5b9ce9287f2c6742377b0c24d9d7 | — | |
hash8faf377f0386ff3cbb39e9131ef03161f7a5c26ef38fb601106898d85ebbfd2c | — | |
hash365aa18cadc5b80a9b5ca5950690c7f8 | — | |
hash00283740140dbe5c227bd15733d7a3b6 | — | |
hashb04f9b4feac14cff959718b69b7bbeaf | — | |
hash7af4a442683662b020fd391e26666958 | — | |
hashfabe184f6721e640474e1497c69ffc98 | — | |
hash27304b246c7d5b4e149124d5f93c5b01 | — | |
hashf41a1afc4cfb95f35cd92da98d90c27b | — | |
hash365aa18cadc5b80a9b5ca5950690c7f8 | — | |
hash16c33a2907264382715fba2061e4ff803a41c629 | — | |
hash4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97 | — | |
hashfabe184f6721e640474e1497c69ffc98 | — | |
hash2f23a6389470db5d0dd2095d64939657d8d3ea9d | — | |
hash759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80 | — | |
hash27304b246c7d5b4e149124d5f93c5b01 | — | |
hashe50d9e3bd91908e13a26b3e23edeaf577fb3a095 | — | |
hash3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef | — | |
hash00283740140dbe5c227bd15733d7a3b6 | — | |
hasha5e9003ff1514ef74fe8e39cb753cbc4f5b0b687 | — | |
hash5944ff3d734b8d46394a4ca2a89db49bc727f6e2f6fc24142f489e5c5211d20b | — | |
hash7af4a442683662b020fd391e26666958 | — | |
hash226155d4b86497acd3d34f33e93f3d94ef176d0b | — | |
hash3592a1d10e880c1a3b8d62d76dc57bd054176c12f77a1b2a3d46721a89a414e9 | — | |
hashf41a1afc4cfb95f35cd92da98d90c27b | — | |
hashb9c162e7817d7d99720fd97d9f7cab342dd2812a | — | |
hash746de8e02f1e64a707ce060a7d851b5d014698ca8692bd7aa945b40e06b01a07 | — | |
hashb04f9b4feac14cff959718b69b7bbeaf | — | |
hashf92394246a01e29d001d995c8a752374743efde4 | — | |
hash25739ec9823c7483811b2c51f8de4836dbaf5e94ee839555fe13c8076dd0b114 | — |
| Value | Description | Copy |
|---|---|---|
emailtacok79159@tjuln.com | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2021-02-06T03:45:11+00:00 | — | |
datetime2021-02-11T19:56:31+00:00 | — | |
datetime2021-02-12T17:18:27+00:00 | — | |
datetime2021-02-12T10:07:36+00:00 | — | |
datetime2021-02-11T19:53:32+00:00 | — | |
datetime2021-02-12T19:08:32+00:00 | — | |
datetime2021-02-12T18:23:43+00:00 | — | |
datetime2021-02-02T20:53:27+00:00 | — | |
datetime2021-02-11T20:01:17+00:00 | — |
Threat ID: 682b81068ee1a77b717bd670
Added to database: 5/19/2025, 7:05:42 PM
Last enriched: 6/18/2025, 7:34:06 PM
Last updated: 2/7/2026, 7:40:19 AM
Views: 119
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumTechnical Analysis of Marco Stealer
MediumNew Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumKnife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.