Police Reportedly Arrest Egregor Ransomware Members

French and Ukrainian police have been in action disrupting the Egregor ransomware group with several arrests last week, according to reports.

The suspects were traced via analysis of Blockchain records after victims of the ransomware paid their extorters in Bitcoin, according to public radio channel, France Inter.

Those arrested in Ukraine are thought to have been hackers as well as individuals providing logistical and financial support to the ransomware-a-service (RaaS) group.

The Paris Tribunal de Grande Instance, France’s busiest court, opened an investigation into Egregor last autumn after multiple French organizations fell victim to the group. These included video game developer Ubisoft, logistics giant Gefco, and newspaper Ouest France.

Just a few days ago, the Dax-Côte d ‘Argent Hospital Center in south-west France was taken offline by Egregor.

It’s not known how many have been arrested at this stage, or whether they were the original developers of the ransomware or one of the many groups that the former “lease” their malware out to for attacks in return for a cut of the profits.

The group itself appeared to rise out of the ashes of Maze. It’s not known if the original members were involved in the other group, but certainly many of the affiliates swapped over.

Revelations of law enforcement activity come after a relatively sharp decline in attacks using Egregor over the past month or so.

In fact, the site it uses to publish stolen data was out of action for a fortnight in January, leading some to speculate that investigators may have been able to disrupt the operation. When Infosecurity visited it a few days ago to confirm a Foxtons breach, none of the links to data downloads were working.

Researchers last week also claimed to have found ties between Egregor and Russia-based attacks in the past, as well as an unusual username also employed by the REvil group.