Users of the Egregor ransomware cartel have been arrested this week in Ukraine, French radio station France Inter reported on Friday, citing legislation enforcement sources.

The arrests, which have not been formally announced, are the outcome of a joint investigation concerning French and Ukrainian law enforcement.

Sources in the menace intel community have verified the existence of a law enforcement action but declined to comment for the time staying.

The names of the suspects have not been unveiled. France Inter claimed the arrested suspects supplied hacking, logistical, and fiscal assistance for the Egregor gang.

The Egregor gang, which began functioning in September 2020, operates based on a Ransomware-as-a-Support (RaaS) design. They rent entry to the precise ransomware strain, but they count on other cybercrime gangs to orchestrate intrusions into corporate networks and deploy the file-encrypting ransomware.

Victims who resist paying the extortion payment are often stated on a so-known as “leak internet site,” in the hopes of shaming them into spending the ransom demand. Victims who don’t fork out normally have inner documents and information shared on the Egregor leak web-site as punishment.

Egregor ransomware leak site

The Egregor ransomware leak site


Impression: ZDNet

If victims do spend the ransom demand from customers, the gang which orchestrated the intrusion keeps most of the cash, while the Egregor gang usually takes a smaller slash. The gang then launders these profits through the Bitcoin ecosystem via Bitcoin mixing companies.

In accordance to the France Inter report, the arrested suspects are believed to some of these “affiliate marketers” (or associates) of the Egregor gang, which support prop up its operations.

France Inter mentioned French authorities obtained involved in the investigation immediately after numerous significant French corporations were being strike by Egregor past calendar year, such as video game studio Ubisoft and logistics firm Gefco.

An investigation was started final year, and French police, alongside one another with “European counterparts,” have been ready to monitor down Egregor associates and infrastructure to Ukraine.

Egregor leak web-site down due to the fact Friday

While, at the time of composing, specifics about the regulation enforcement motion are murky, the arrests surface to have experienced a very significant effect on Egregor operations.

“Recorded Future has observed that Egregor infrastructure, including their extortion website and command and handle (C2) infrastructure, has been offline considering that at the very least Friday,” Allan Liska, a stability researcher for threat intelligence firm Recorded Potential, has told ZDNet in an e-mail.

“While there has been no law enforcement banner, as there generally would be in this circumstance, it is uncommon for ransomware actors as perfectly-resourced as Egregor to have all of their infrastructure go offline at the exact time,” he additional.

Egregor has created additional than 200 community victims

The arrests in Ukraine have hit just one of final year’s most lively ransomware functions.

When the Egregor RaaS formally introduced in September 2020, numerous safety authorities believe that the Egregor gang is actually the older Maze ransomware group, which began working in late 2019.

The Maze gang abruptly shut down in September 2020, a couple of months just after Egregor started functioning. Reports from threat intelligence corporations at the time said that the Maze gang experienced privately notified quite a few of its top “affiliate marketers” to transfer more than to the Egregor RaaS.

Currently, numerous stability researchers believe that the Egregor RaaS is an upgraded and rebranded version of the more mature Maze operation.

“Recorded Future has tracked 206 victims published to the Egregor extortion web site and, in advance of the switchover, 263 victims released to the Maze internet site,” Liska told ZDNet.

“The two variants blended accounted for 34.3% of victims printed to all ransomware extortion sites (14.9% Egregor),” Liska reported.

A Coveware report published previous thirty day period verified Recorded Future’s assessment, listing Egregor as the next most active ransomware gang for Q4 2020.

Having said that, it is unclear what the harm of this week’s regulation enforcement motion will be on Egregor’s future. Previous month, US and Bulgarian authorities disrupted the Netwalker ransomware gang by seizing servers and arresting just one of its affiliates, and the RaaS assistance has been inactive at any time due to the fact.

A Chainalysis report released at the start off of the thirty day period outlined the Egregor/Maze gang as one of the best 5 earners in the ransomware landscape, with earnings among $40 million and $50 million.

This was confirmed by Liska, who told ZDNet that Egregor’s normal ransom need was all over $700,000, building it amongst the premier ransom requires of any ransomware household.

Maze’s 2020 dox

But a rather sizeable celebration took area previous yr, in November, when the operators of the REvil (Sodinokibi) ransomware gang (#1 on that Coverware 2020 Q4 ransomware report) claimed to have discovered the authentic identities of the persons driving the Maze provider, their rival.

At the time, safety analysts thought of the REvil stunt as an try to sabotage a rival’s public graphic, but no person commented on the precision of the dox, and ZDNet was instructed quite a few of them shared the details with law enforcement organizations.