The police arrested, on February 9 in Ukraine, several members of a group of cybercriminals, at the origin of several computer attacks in the world including that of everyday life West France, police sources and close to the case announced this Thursday.
This “international operation”, which was carried out in coordination with French and Ukrainian police officers as well as the FBI, put a “stop” to the distribution of ransomware called “Egregor”, details the police in a press release. .
According to the first elements of investigation communicated by the Ukrainian security services (SBU), at least 150 companies were attacked, mainly in the United States and in Europe, for losses estimated at around 66 million euros. At least three people were arrested in this crackdown, according to a source close to the file. The homes of the suspects were searched and the computer equipment seized is “still in use” by French investigators sent there, according to the police.
It was a report by Europol in September which led the Paris prosecutor’s office to open an investigation in France, entrusted to the sub-directorate for the fight against cybercrime (SDLC). The group practiced the technique of “double extortion”: on the one hand the encryption and theft of the data of the targeted company, on the other hand the threat of publication of this compromised data on a website if the company refused to pay a ransom in bitcoins, the most famous of virtual currencies.
Different attacks for French hospitals
The ransomware was spread by a prior intrusion “via the sending of phishing emails and poorly secured Windows remote desktop access”, details the French police. Particularly sophisticated, “Egregor” could take control of printers connected to infected computers and print the ransom note, “further amplifying the psychological impact of the extortion”, the same source said.
Several French companies have been targeted by “Egregor”, including the daily West France, the transporter Gefco or the video game giant Ubisoft. Two ransomware attacks have targeted the hospitals of Villefranche-sur-Saône (Rhône) and Dax (Landes) in recent days, but they do not bear the signature of “Egregor”. This worked on the model of software on demand (Raas, Ransomware as a Service): its creators made it available to other hackers, “affiliates”, who took charge of the attacks before sharing the profits.
Those arrested are part “rather of the design and production team”, confides Catherine Chambon, the deputy director of the fight against cybercrime at the central directorate of the judicial police. If Catherine Chambon qualifies the operation against “Egregor” as “rather effective dismantling”, she calls for remaining “very careful and modest” in the face of what is similar to “a nebula”.
According to the National Information Systems Security Agency (Anssi), “Egregor would be linked to the end of the activity of the group of attackers behind the Maze ransomware”, the source of an attack in particular. against Bouygues Construction in January 2020. In its turn, could “Egregor” be reborn in another form? “It’s possible, it can be the life of ransomware,” replied Catherine Chambon. “The idea is to gradually insecure cybercriminals, so that they feel less in impunity. Even if, once a crime exists, it has little chance of disappearing ”.