FBI alert on Egregor ransomware highlighted affiliate cybercrime model

Egregor is one of a number of strains classified as ransomware-as-a-service, meaning users can pay a fee to enlist the malicious code for their crime sprees.
verizon 2018 DBIR

An emerging strain of ransomware that was the subject of a recent FBI report is relying on an extortion technique in which attackers publish stolen data to a public website in the event that a victim organization refuses to meet hackers’ demands. 

The Federal Bureau of Investigation in January warned that the gang behind the Egregor ransomware, first detected in September 2020, would compromise a victim’s network, then order a victim to print a physical copy of a ransom note spelling out a demand to pay a specific fee, otherwise risk their stolen data being made public. French and Ukrainian police took action against hackers who used the Egregor malware in February, reportedly arresting “several” suspects. 

In its advisory, the bureau said that attackers can rent Egregor as a ransomware-as-a-service malware, and that it relies on other hacking tools as part of an affiliate model. Egregor frequently comes packaged with penetration testing and exploit tools including Cobalt Strike, Qakbot and software known as Advanced IP Scanner and AdFind, the FBI said. 

The federal government’s warning roughly coincided with a consensus from cybersecurity researchers and private sector firms that the specialists who launch ransomware attacks are a much more concentrated lot than widely understood. 


Egregor is one of a number of strains classified as ransomware-as-a-service, meaning users can pay a fee to enlist the malicious code for their crime sprees.

“In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event,” the FBI alert says. 

“Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business networks and employee personal accounts that share access with business networks or devices,” the notice continues. 

Further investment in the affiliate model also unlocks the services of other professionals who offer access to breached networks, extortion negotiations and customized criminal services. The most prolific crews — Maze, Egregor, SunCrypt and Doppelpaymer — rely on many of the same services to complete their scams, according to recent findings from Chainalysis, which provides intelligence to U.S. law enforcement.

A growing body of research suggests these affiliates launder their stolen money through a relative handful of locations. When a ransomware victim elects to pay an extortion fee in bitcoin, for instance, the thieves need to cover their tracks. Money launderers connected to ransomware groups deposited some 80% of the millions of dollars they received in 2020 into 199 bitcoin wallets, Chainalysis research provided exclusively to CyberScoop showed. Of the total 199, 25 accounts collected 46% of the funds.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts