A joint operation between French and Ukrainian law enforcement has reportedly led to the arrest of the members of the Egregor ransomware group this week in Ukraine.
French radio station France Inter reported that the arrested suspects whose names have not been released, provided hacking, logistical, and financial support for the Egregor gang.
The arrested suspects are believed to be some of the affiliates of the Egregor gang whose job was to hack into corporate networks and deploy the ransomware.
The French authorities became involved in the investigation when many major French companies were hit by Egregor last year which includes game studio Ubisoft and logistics firm Gefco.
An investigation was started last year, and French police, together with European law enforcement agencies managed to track down Egregor members and infrastructure to Ukraine.
The Egregor gang, began its operation in September 2020, based on a Ransomware-as-a-Service (RaaS) model. They rent access to the actual ransomware strain, but they depend on other cybercrime gangs to organize intrusions into corporate networks and deploy the file-encrypting ransomware.
Many security experts believe that the Egregor gang is actually the older Maze ransomware group, which began operating in late 2019.
The Maze gang suddenly shut down in September 2020, a few weeks after Egregor began operating. During that time there were reports stating that the Maze gang had privately notified many of its top “affiliates” to move over to the Egregor RaaS.
Egregor was reported as the second most active ransomware gang for Q4 2020. Some of the famous companies that were attacked by Egregor include Barnes and Noble, Kmart, Cencosud, Randstad, Vancouver’s TransLink metro system, and Crytek.
Victims who do not make the ransom payments are listed on a leak site in order to make them pay the ransom demand. Their internal documents and files are also usually shared on the Egregor leak site as punishment.
If victims make the payment, the gang who had organized the intrusion keeps most of the funds, while the Egregor gang takes a small profit. The gang then launders these profits through the Bitcoin ecosystem via Bitcoin mixing services.
The arrests appear to have had a large impact on Egregor operations. It was found that the Egregor infrastructure, including their extortion site and command and control (C2) infrastructure, has been offline since at least Friday.
Even though there has been no police banner, it is unusual for ransomware actors like Egregor to have all of their infrastructure go offline at the same time.