Edinburgh Woollen Mill ransomware claim: Crims demand cash from target in administration

Egregor gang publishes stolen data snippet but did anyone receive their extortion note?


Ransomware criminals who targeted Edinburgh Woollen Mill are congratulating themselves on infiltrating the business and publishing their usual extortion demands – unaware the company has crashed into administration.

The Egregor ransomware crew followed the criminal playbook to perfection. They found a way into a reasonably-sized business, locked up its files and then sent ransom demands.

When those demands weren’t answered, the gang – who had, as is fashionable for ransomware criminals, set up an extortion website – published a snippet of stolen data on their site to attract media attention.

There was just one problem. Nobody was paying attention to the ransom demands because Edinburgh Woollen Mill, parent company of clothing brands such as Jaeger and Jane Norman, as well as retail chain Peacocks, collapsed into administration a fortnight ago.

Around 2,000 jobs were put at risk and 750 people, out of a total of 24,000, were made redundant on 6th November when EWM entered administration. Although the company’s phone was not being answered when The Register called we have emailed to seek comment and will update this article if anyone responds.

Brett Callow, a threat analyst at infosec biz Emsisoft who spotted a post on Egregor's website about the alleged attack and showed us a screenshot, opined to El Reg: “EWM is not the first company to be hit when close to being down and out. Such incidents could be coincidences, or they could be the result of security being diminished due to IT staff being let go.”

Egregor's operators published a zip file of what they claimed to be stolen data extracted from EWM.

While The Register tends to avoid amplifying ransomware gangs’ self-publicity, in this instance it is noteworthy because the Egregor gang and their brand of malware appears to be filling a criminal void after the Maze gang publicly claimed to be ending their ransomware antics earlier this month.

Despite all the breathless hype surrounding ransomware criminals and their extortion efforts, however, there is little indication that the individuals behind Maze have actually given up; it is possible they have merely rebranded, or the people behind the Maze name have split up and are continuing their criminality with others who may or may not be part of Egregor. Maze's clearnet website went down a couple of weeks ago.

Infosec firm Cyble has published a blog post about Egregor and its Sekhmet malware family, which it said has been seen in the wild since September 2020. In October the gang was said to have compromised the London-based Foxtons estate agent, which the LSE-listed firm partially admitted while insisting it had had little effect. ®


Biting the hand that feeds IT © 1998–2020