egregor

Egregor is a ransomware strain that appeared in September 2020, widely believed to be a rebrand or successor to the Maze ransomware operation, using similar infrastructure and tactics. It runs as a Ransomware-as-a-Service (RaaS), recruiting affiliates to deploy its payload in exchange for a percentage of ransom payments. Egregor employs a double-extortion model, encrypting files with ChaCha and RSA-2048 algorithms, while exfiltrating sensitive data to threaten public release. Victims receive ransom notes directing them to Tor-based portals for negotiation. The group has targeted organizations worldwide across sectors such as retail, transportation, manufacturing, and finance, with notable attacks on Barnes & Noble and Cencosud. Egregor's operations were disrupted in early 2021 through coordinated law enforcement action, leading to the arrest of suspected affiliates in Ukraine.