Egregor ransomware infection at Randstad

[German]Randstad, a globally active company for temporary employment, has fallen victim to an Egregor ransomware infection. The attackers infected the company's servers and had access to data on Randstad's activities in the United States, Poland, Italy and France.


Randstad was founded in the Netherlands and now operates on five continents. It is one of the largest temporary employment agencies in the world with a turnover of 23.7 billion euros in 2019. As the company announced on Thursday, December 3, 2020, the cyber attack was recently discovered (see the press release at the articles end). This Dutch medium reports about a hack and that the hackers have penetrated the company's servers.

Data stolen

Randstad hired cyber security experts and forensic investigators to investigate the cyber attack after the detection. The investigation revealed that a hacker group called Egregor was behind the cyber attack. It is probably also clear that data was stolen. The investigation is not yet complete, so it is not known which data was stolen. However, the Egregor group has published some of the stolen data. It is not yet clear what the extent of the data breach is.

Bleeping Computer reports here, that the Egregor ransomware group released a 32.7 MB archive containing 184 files, including spreadsheets, financial reports, legal documents, and other miscellaneous business records from the attack. This is said to represent approximately 1% of the captured Randstad data.

It was only when the data was released by the Ransomware Group that Randstad made the case public. The company also reported the cyber attack to the relevant regulatory authorities and investigative services.

Who is Egregor?

Egregor is a newly organized cybergang that uses ransomware-as-a-service and enters into agreements with other cybercriminals. The group attempts to compromise networks and infect them with their ransomware in order to be able to make a ransom demand. As part of this agreement, member organizations earn 70% of all ransom payments they bring in, and Egregor operators receive a 30% share of revenues.


Egregor began operations in mid-September 2020 after the ransomware gang Maze ceased operations. BleepingComputer writes that many cyber criminals who worked with Maze switched to Egregor. Egregor is responsible for ransomware attacks on Cencosud, Crytek, Ubisoft, and Barnes and Noble.

The press release says:

Randstad statement on cyber incident.


Randstad NV ("Randstad") recently became aware of malicious activity in its IT environment and an internal investigation into this incident was launched immediately with our 24/7 incident response team. Third party cyber security and forensic experts were engaged to assist with the investigation and remediation of the incident.

Prompt global action was taken to mitigate the incident while further protecting Randstad's systems, operations and data. As a result, a limited number of servers were impacted. Our systems have continued running without interruption and there has not been any disruption to our operations. Based on our current investigation there is no indication that any third party systems were impacted. Relevant regulatory authorities and law enforcement agencies have been notified.

To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France. They have now published what is claimed to be a subset of that data. The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties.

The protection of our client and talent data is our highest priority and we are dedicating significant resources to deal with this regrettable incident. Unfortunately, Randstad is not alone in this situation as cyber criminals have become increasingly sophisticated and aggressive in recent months, resulting in many organizations suffering such attacks.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *