FBI Issues a Warning about Egregor Ransomware Attacks

The FBI has issued a warning about an attack on approximately 150 corporate networks in the U.S and other countries called Egregor ransomware. Victims of this attack have claimed demands from cybercriminals have reached up to $4 million. Companies that have been targeted include Barnes & Noble, Kmart and Ubisoft.

What is Egregor ransomware and how does it work?

Egregor ransomware is a recently new ransomware as it was first noticed in September 2020. It is distributed through a penetration-testing software such as Cobalt Strike, which is a tool used to detect system vulnerabilities. This tool is used for software testing to discover bugs and flaws in an organisations network. Cyber criminals have taken advantage of this software to send organisations multiple phishing emails, with the aim to inject malicious software into the victim’s machine.

Once the cybercriminals have access to an organisations network and files, they send a ransom note threatening that if the victim does not pay within three days, they will leak the stolen data and announce the cyber breach through mass media, alerting the public of this breach.

In addition to usual ransomware strategies such as encrypting files and leaving a ransom note on machines, Egregor attack cybercriminals also utilize the print function. It was reported that they caused an organisation’s printer to continuously print the ransom note. Cybercriminals may also offer their victims education about what they can do to help them escape future attacks, such as recommendations to secure their network better, to encourage organisation’s to pay the ransom.

As there is a large group of cybercriminals involved in this attack, the tactics and techniques can vary, making it tricky to defend against this attack. Some tactics the FBI has found include:

  • Targeting employee personal accounts that share access with business networks or devices
  • Phishing emails with malicious attachments
  • Exploiting remote desktop protocol

It is advised that organisation’s that are victim to the Egregor ransomware attack don’t pay the ransom as there is no guarantee files will be recovered. Paying the ransom also encourages the cybercriminals to continue targeting other organisations and fund this illicit activity. It is also encouraged that organisations report this incident regardless if they paid the ransom or not to their local FBI.


Arntz P, 2020, Threat profile: Egregor ransomware is making a name for itself, Malwarebytes Labs, viewed 12th January 2021,<https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/#:~:text=What%20is%20Egregor%3F%20Egregor%20ransomware%20is%20a%20relatively,similarities%20in%20obfuscation%2C%20API-calls%2C%20and%20the%20ransom%20note>.

Ferguson S, FBI Issues Alert on Growing Egregor Ransomware Threat, Data Breach Today, viewed 12th January 2021,<https://www.databreachtoday.com/fbi-issues-alert-over-growing-egregor-ransomware-threat-a-15733>.

Meskauskas T, 2020, Cobalt Strike virus removal guide, PC Risk, viewed 12th January 2021,<https://www.pcrisk.com/removal-guides/14342-cobalt-strike-malware>.

Montalbano E, 2021, FBI Warns of Egregor Attacks on Businesses Worldwide, ThreatPost, viewed 12th January 2021,<https://threatpost.com/fbi-egregor-attacks-businesses-worldwide/162885/>.

Adelaide Office
Melbourne Office
Sydney Office
Brisbane Office