Egregor ransomware criminals allegedly busted in Ukraine – Naked Security

According to a report from radio station France Inter, numerous cybercriminals connected to the Egregor ransomware gang have recently been arrested.

It’s not yet clear whether there are suspects in custody both in France and in Ukraine, but France Inter says [our translation] that:

This was a massive Franco-Ukrainian operation. Since Tuesday [last week], police in the two countries have been working together in an effort to dismantle a cybercrime group suspected of initiating hundreds of ransomware attacks dating back to September 2020.[…] Police arrested a number of hackers suspected of working with the Egregor cybercrime gang, providing hacking, logistical, and financial support.


Like many ransomware gangs these days, Egregor isn’t a small and self-contained hacking crew.

Egregor is an example of what’s become known as RaaS, short for ransomware-as-a-service, a name that’s ironically derived from industry terminology such as IaaS (infrastructure-as-a-service) and SaaS (software-as-a-service).

Ransomware-as-a-service typically means that the core technical operators – the criminals who code the ransomware and collect the money from victims – don’t need to deal directly with those victims.

Instead, the core criminals behind a RaaS operation provide a web portal through which “affiliates” can sign up to acquire malware samples, after which it’s up to the affiliates to carry out the “street work” of breaking into networks, spreading the ransomware and initiating the blackmail demands in which most ransomware attacks culminate.

The core criminals then collect the cryptocurrency paid in by victims and pay the affiliate behind each attack a percentage of the takings.

Each affiliate in a RaaS scheme typically gets 70% of the “revenue” from each attack they orchestrate, while the core of the gang keep 30% of the takings from every payment.

READ  Nvidia Game Ready Driver Vulnerability Fixed: How to Prevent Hackers Hijack It

We can only guess that the crooks chose this cut because 30% is a long-established figure in the legitimate cloud world – one that users of services such as Apple Music or Google Play are already used to.