It has been reported that Ukrainian law enforcement officers have arrested several affiliate members of the Egregor ransomware gang. The operation was carried out with the assistance of French authorities, and it is reported that the French investigation which began last Fall traced Bitcoin payments from French victims of the ransomware to individuals in Ukraine. Egregor has been responsible for attacks on French companies such as Ubisoft, Ouest France, and Gefko, as well as other attacks worldwide. Egregor operates on an “affiliate” model, where the software developers who create and maintain the ransomware provide it to other criminals to deploy against victim companies that they have gained unauthorized access to, with the illicit profits from extortion payments split between the developers and the affiliates. The criminal organization began in September of 2020 and is believed to have partnered with Qbot malware in November of 2020. Binary Defense analysts monitored the Egregor leak site and reported several outages in early December, the site appeared to have been taken down in late 2020. It is currently unknown if this was due to law enforcement action, but Binary Defense will continue to monitor the situation.
This is one of several operations carried out by Ukrainian law enforcement against cyber criminals. Binary Defense believes this may be a shift in policy within the Ukrainian government in an attempt to prevent cyber criminals from believing they have safe harbor within the country. To defend against a ransomware attack and prevent data loss, it’s important to maintain offline, encrypted backups of data and to regularly test them. Backups should be taken at regular intervals to ensure minimal data-loss if they are ever needed. Create and maintain an incident response plan that includes response and notification procedures for a ransomware incident. Regularly patch software and operating systems to the latest available versions. Employ best practices for use of RDP and other remote desktop services by protecting them behind a strong VPN with Multi-Factor Authentication (MFA) and auditing any unusual login events from IP addresses or devices that are different from what the employee account normally uses. Threat actors commonly gain initial access through insecure Internet-facing remote services or phishing. When an attack makes it through the outer layers of defense, it is important to have a Security Operations Center or a managed security monitoring service with expert security analysts on duty, such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.