The Ukrainian authorities have confirmed the widely reported disruption and takedown of the Egregor ransomware operation, saying cyber specialists from the Ukrainian Security Service – Sluzhba bezpeky Ukrayiny, or SBU – conducted a “multi-level, large-scale special operation” alongside authorities from France and the US.
Up to now, information on the takedown could be traced back only to reporting by French radio station France Inter, although cyber security analysts had confirmed disruption to Egregor’s back-end infrastructure in the run-up to the arrests.
In an announcement on its website – translated by Computer Weekly through Google services – the SBU said investigations into the Egregor gang, which emerged in the autumn of 2020 and was briefly one of the most “productive” ransomware operations in operation, found that a group of people operating from within Ukraine were using Egregor.
The SBU said it had recorded Egregor attacks on more than 150 organisations in Europe and the US, resulting in ransom payments of over $80m (€66m/£58m) in cryptocurrency.
“In February 2021, law enforcement officers stopped the activities of criminals. During the investigation, computer equipment with the Egregor virus, information about the affected computer networks and other incontrovertible evidence of illegal activity were seized,” said the SBU in its statement.
“The members of the specified hacker group, including the organiser, were informed about the suspicion of committing criminal offenses under Part 2 of Article 189 (extortion), Part 2 of Article 361 (unauthorised interference in the work of electronic computers (computers), automated systems, computer networks or telecommunication networks) of the Criminal Code of Ukraine,” it said.
The SBU did not say whether or not the individuals in custody were the ultimate brains behind Egregor, or merely an affiliate group. Egregor is one of a number of operations that run a ransomware-as-a-service (RaaS) model, whereby its “product” is made available to affiliates who perform the dirty work of extortion, while the ultimate operators get a percentage of the take.
This business model enables ransomware operators to scale their earnings with far less risk attached than if they were running cyber attacks themselves, adding a layer of obfuscation between themselves and the attackers – it is not illegal, after all, to write software.
Pre-trial investigations are now underway in Ukraine under the auspices of prosecutors in Kiev. Meanwhile, US authorities have scheduled a related announcement for later on 17 February. This article will be updated with further information as it is made available.
