A malware attack on a large UK estate agency was carried out by the Egregor ransomware group and appears to be case of ‘double extortion’, according to threat intelligence experts.

Foxtons PLC was hit by a malware attack last October and reported itself to the Information Commissioner’s Office.

British newspaper the i reported last week that more than 16,000 card details, addresses and private correspondence, including details of fees paid, are now accessible on the dark web.

Foxtons has confirmed a malware attack hit its mortgage broking arm Alexander Hall last October. It however said: “We have forensically been through all the stolen data (using an independent law firm) and concluded that it was not special category data, as defined by the ICO, nor was it likely to give rise to any significant consequences to our customers such as would require them to be notified.”

Threat intelligence firm Kela has said that it is “safe to assume” that the hacking of the system and the apparent publication of the data are linked, and appear to be by Egregor as the leaked information was reportedly seen online on the same date as the victim was posted on the Egregor blog.

On Twitter, Kela said the case “seems like an instance of double extortion” where fraudsters demand payment to prevent further publication of data.

What is Egregor ransomware?

Egregor is a newly identified ransomware variant that was first discovered in Septembe, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and Ubisoft.

Egregor is believed to be a relative of another ransomware called Sekhmet that emerged in March, 2020.

The group’s ransomware attacks are characterized by their double-extortion tactics. The cybercrime group breaches sensitive data, encrypting it so that it cannot be accessed by the victim.

They then publish a subset of the compromised data on the dark web as proof of the successful exfiltration and give the victim a deadline to pay a price to prevent further data being published.

Egregor infection happens via loader. The criminals then install a remote desktop protocol and the malware then identifies and disables antivirus software.