Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

QakBot Big Game Hunting continues: the operators drop ProLock ransomware for Egregor

Media Center Press Releases
November 20, 2020 · 4 min to read
CyberCrimeCon
EGREGOR
Oleg Skulkin
ProLock
Ransomware

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware. Egregor has been actively distributed since September 2020 and has so far hit at least 69 big companies in 16 countries. The biggest ransom demand detected by Group-IB team has been at $4 million worth of BTC.

During recent incident response engagements Group-IB DFIR (Digital Forensics and Incident Response) team has noticed a significant change in QakBot operators’ tactics, the gang started to deploy new Egregor ransomware family. This ransomware strain emerged in September 2020, but the threat actors behind already managed to lock quite big companies, such as game developers Crytek, booksellers Barnes & Noble, and most recently a retail giant Cencosud from Chile.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators, whose campaigns have been described in Group-IB blog post in May. First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe. Hence, all of the above considered, Group-IB experts assess it’s very likely that QakBot operators have switched from ProLock to Egregor ransomware.

Geography and victims

The gang behind Egregor followed in Maze’s footsteps, who called it quits not long ago. Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand registered by the Group-IB team so far was at $4 million worth of BTC.

In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Inside Egregor

While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique. Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you don’t have command-line arguments provided by the attacker. Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot are to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

Tactics, techniques and procedures observed are very similar to those seen in the past Qakbot’s Big Game Hunting operations. At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates.

Oleg Skulkin
Oleg Skulkin

Senior DFIR analyst at Group-IB

Would you like to learn more about ransomware operations and TTPs in 2020, register now for Group-IB’s signature Threat Hunting and Intelligence conference, CyberCrimeCon. The eighth edition of the iconic event, held on November 25-26, will traditionally unite cybersecurity professionals from the financial and tech sectors, retail and industrial giants, as well as law enforcement agencies and will, in addition to two major streams — analytical and technological — contain a Threat Hunting Game. The conference’s speaker lineup includes representatives of Europol EC3, leading banks, FMCG companies, and independent researchers.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Read next
Top Women in Security ASEAN Awards 2025
November 13, 2025
Group-IB’s High-Tech Crime Investigations team triumphs at Top Women in Security ASEAN Awards 2025
October 21, 2025
Group-IB launches Asia-Pacific’s first Cyber Fusion Center in Singapore
October 9, 2025
Group-IB Intelligence Powers Spanish Guardia Civil Operation to Dismantle the “GXC Team” Cybercrime Syndicate
September 30, 2025
Group-IB and Cyber Samurai join forces to enhance cyber resilience in the DACH region
September 26, 2025
Group-IB supports INTERPOL’s “Operation Contender 3.0”, leading to the arrest of 260 suspects in Africa
September 25, 2025
Group-IB Unites Partners to Strengthen Turkey’s Cybersecurity Landscape
Go to all Press Releases →