Ransomware gang Egregor publishes details from HR firm Randstand following hack

Since emerging in mid-September, Egregor has reportedly been used in multiple high-profile ransomware attacks.
Randstad, a multinational human resources company, has disclosed a cyberattack (Flickr/Roel Wijnants)

A cybercriminal group breached the IT systems of Randstad, one of the largest head-hunting companies in the world, and published some internal corporate data in an apparent extortion attempt, the firm said Thursday.

Netherlands-based Randstad pointed the finger at the criminal gang behind Egregor, a nascent type of ransomware that’s struck multiple organizations in recent weeks. The attackers gained access “to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France,” Randstad said in a press release. “A limited number of servers were impacted.”

Randstad, which employed more than 38,000 people last year and reported more than $28 billion in revenue, said it was still identifying what data had been accessed. Law enforcement and third-party investigators are also involved in the matter, the company said.

“We believe the incident started with a phishing email that initiated malicious software to be installed,” a Randstad spokesperson said in an email. “We have not yet received a ransom note or any direct communication from Egregor.”


“Our systems have continued running without interruption and there has not been any disruption to our operations,” the Randstad spokesperson added.

The cybercriminal group published corporate data that appeared to include legal documents and financial reports.

Since emerging in mid-September, the Egregor ransomware has reportedly been used in cyberattacks on major retailers like Barnes & Noble and Kmart, and on the Vancouver metro system’s transportation authority, which on Thursday confirmed a ransomware attack on its IT systems that caused problems with card payments.

The attackers have used Qakbot, a popular banking malware that has been around for more than a decade, to distribute their ransomware, according to Group-IB, a security vendor.

Like so many ransomware gangs in 2020, Egregor is using the one-two punch of stealing and encrypting files to maximize their leverage in ransom negotiations, according to Recorded Future, another security company. The Egregor operatives typically give victims three days to pay before leaking additional data, the company said.


“The Egregor ransomware is a complex piece of malware, employing obfuscation and anti-analysis techniques,” Recorded Future said in an analysis this week.  “In order to fully decrypt and deploy the payload, the password associated with the sample must be provided at runtime.”

Bleeping Computer reported the news earlier Friday.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts