The anatomy of a modern day ransomware conglomerate

Written by Jeff Stone

If school administrators, medical organizations and other crucial industries haven’t already had enough bad news over the past year, a new hacking group that relies on emerging techniques to rip off its victims should fulfill that need. 

What makes the pain even worse is that the group is using an innovative structure that’s becoming more common in the cybercrime underworld.

This ransomware gang, dubbed Egregor, in recent months appears to have hacked more than 130 targets, including schools, manufacturing firms, logistics companies and financial institutions, according to the U.K.-based security firm Sophos. Egregor works much like other strains of ransomware — holding data hostage until a victim pays a fee — though in some ways the group behind it also exemplifies the current state of the hacking economy. 

Rather than relying on lone hackers who mastermind massive data breaches, or dark web forums frequented only by Russian scammers, today’s cybercriminals function as part of a kind of cooperative shadow industry that rewards innovation and reputation. It’s like an informal professional network in Silicon Valley, only based on extorting schools rather than generating engagement.

“We’re seeing some of the same individuals who were active years ago still active now,” said Jason Passwaters, chief operating officer at the threat intelligence firm Intel 471. “They’re providing the same services they provided back then, it’s just that everybody is interdependent on each other.” 

Just as hundreds of people may be involved in the transportation of a Chiquita banana from its origin to a grocery store, security researchers suggest that dozens of individuals might be involved in a given data breach or digital extortion attempt. It’s not unique to the Egregor group. Hackers using the malware strains known as Conti, Thanos and SunCrypt, among others, also have deployed similarly cooperative techniques. 

It’s a style with roots in the mid-2000s when a hacker using the name “slavik” released the Zeus malware, a hacking tool…