Egregor
Egregor is a ransomware gang that began operating in mid-September 2020. Reporting describes it as a relatively new but active ransomware operation and repeatedly links it to the Maze ecosystem: many Maze affiliates reportedly moved to Egregor during Maze’s wind-down, and multiple sources state Egregor is believed to share software lineage with Maze and Sekhmet. A ransomware actor cited in reporting claimed Maze, Sekhmet, and Egregor were the same software, and victims who paid Egregor were reportedly sent decryptors titled "Sekhmet Decryptor." Egregor is also referenced as collaborating within broader criminal ecosystems, including access obtained by initial access groups and malware services. Observed activity in the provided content includes confirmed ransomware attacks against Crytek and claimed attacks against Ubisoft and Barnes & Noble. In the Crytek intrusion, files were encrypted and renamed with the ".CRYTEK" extension, and Egregor leaked a 380 MB archive of allegedly stolen unencrypted files including material related to WarFace, Arena of Fate, and network operations. Egregor claimed to have breached Ubisoft and stolen unencrypted data, including alleged Watch Dogs source code, but the Ubisoft breach was not confirmed in the reporting. Egregor also claimed responsibility for the October 10, 2020 Barnes & Noble attack and published files it said were stolen; reporting notes the leak included Windows Registry hives that corroborated involvement but did not prove theft of the claimed financial and audit data. The group uses double-extortion style tactics reflected in the content: stealing unencrypted files, encrypting victim systems in at least some cases, and publishing data on a leak site to pressure victims. One report states Egregor told media that it stole data from Ubisoft without encrypting files, while Crytek was "encrypted fully." The content also states Egregor has used DLL side-loading to execute its payload. Egregor appears in multiple access-and-delivery relationships in the provided material. Cisco Talos reported that the financially motivated initial access group ToyMaker/UNC961 transferred access to Maze, Egregor, and Cactus. CrowdStrike-assessed reporting states Prophet Spider likely functioned as an access broker and likely granted access to Egregor and MountLocker ransomware operators in exchange for payment. Qakbot/QBot is repeatedly described as malware used by Egregor or associated with intrusions linked to Egregor, alongside other ransomware groups such as Conti, ProLock, REvil, MegaCortex, and Black Basta. Known alias in the provided content: egregor.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as a ransomware group that FIN7 is known to collaborate with (no specific activity described in this content).
Ransomware group identified as a recipient of access transferred by ToyMaker.
Ransomware group identified as using Qakbot for initial access in attacks that extort victims for bitcoin ransom payments.
Named ransomware operation noted as reducing activity after law-enforcement raids.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.