Egregor has his ransom demand printed by the machines of his victims

by Kelvin
Egregor has his ransom demand printed by the machines of his victims

Ransomware encrypts data, ransomware steals and publishes data, and now ransomware prints its ransom messages on their victims’ photocopiers.

On November 14, the South American retail giant Cencosud was the victim of particularly virulent ransomware. The attack is claimed by Egregor, a cybercriminal organization that appeared in September. The group has taken over part of the activities of the famous Maze, which stopped at the beginning of the month, and already has several big names on its hunting board.


Like all recent ransomware, Egregor encrypts the files it finds, so that the documents become unreadable and network-linked machines stop functioning. Before initiating the encryption, it will have exfiltrated a copy of the company data, which cybercriminals can use to blackmail the publication if necessary. But Egregor stands out with a new functionality, intended to sow even more chaos during the attack. If its malware hits a computer linked to a printer, it will automatically print the ransom note, already deposited on any affected computer.

In this case, Egregor could have printed thousands of copies, given the size of his victim. Cencosud is at the head of many chain stores (Jumbo, Vea, Disco, etc.), spread across several South American countries, including Argentina, Brazil and Chile. The multinational achieved $ 15 billion in sales in 2019, in its more than 1,000 supermarkets.

The Argentinian newspaper Clarín, which reported the information first, unpublished its article, without providing an explanation. But the Bleeping Computer, media expert on ransomware, was able to confirm the attack.

“Your customers will be aware of your PROBLEM”

The American media recovered the ransom note that the hackers left on each affected computer. This note, written in the form of a generic FAQ – ransomware operators generally do not know exactly who they have hit – hammers in English: “”. Hackers give company officials three days to contact them and negotiate payment of the ransom.

To put pressure on decision-makers, cybercriminals warn: “” They also stress the potential damage associated with the loss of reputation that their attack would engender.

By stopping the video at the right time, we find the ransom message obtained by the Bleeping Computer. // Source: Twitter

The only way for the victim to quickly unblock the thorny situation is, in theory, to pay the ransom which amounts to several thousand or even millions of dollars for companies of this size. The company would thus recover the decryption key, avoid a prolonged slowdown in its activity, and any loss of data. With any luck, she would even fix the problem before it got out of hand.

But in practice, there is no guarantee that the criminals will give the decryption key or that they will not keep a copy of the data to sell them after the fact. Worse, without a system reset, it is difficult to ensure that the system is properly cleared of all malware residue.

Either way, between corrupted devices and printed notes, Egregor’s message has been received more than a thousand times than one.

CyberGhost, Cyberwarre’s exclusive advertiser, is a premium VPN provider at affordable prices. It has thousands of secure servers spread across the world, allowing it to relocate its IP address and bypass geoblocks. CyberGhost does not keep any record of user activity. Its VPN application is available on all operating systems and connected devices and is the easiest to access on the market. Learn more about CyberGhost’s VPN solution