MegaCortex Ransomware Leverages Automation to Prey upon Users Worldwide


Thought Leadership

MegaCortex Ransomware Leverages Automation to Prey upon Users Worldwide

David Bisson

A relatively new family of ransomware called “MegaCortex” is leveraging automation to prey upon users around the world. In the beginning of May, Sophos detected a sharp increase in the number of malware attacks targeting its customers in the United States, Canada, the Netherlands, Italy and other countries. The British security software and hardware company found that these campaigns all delivered MegaCortex, a threat whose name pays homage to the first Matrix movie.

A Singular Piece of Ransomware

Andrew Brandt, a principal researcher for Sophos, says that MegaCortex stands out among other ransomware because it extensively uses automation to improve its chances of infecting a greater number of victims. As quoted in the company’s threat research:
"In attacks we’ve investigated, the attackers used a common red-team attack tool script to invoke a meterpreter reverse shell in the victim’s environment. From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initial dropped malware) on specified machines."
Automation isn’t the only factor through which MegaCortex distinguishes itself. Here are some other notable features:
  • The ransomware uses a long batch file to help it evade detection by anti-virus solutions and similar software. Contained within the batch file are a series of scripts designed to kill 44 processes, issue stop commands to 189 services and switch the Startup Type for 194 services to “disabled.” This last action prevents those services from starting up again.
  • The crypto-malware doesn’t specify how much MegaCortex’s handlers want victims to pay in its ransom note. But it does promise victims that they’ll receive “a consultation on how to improve your companies (sic) cyber security” and “a guarantee that your company will never be inconvenienced by us” once they’ve paid the ransom. It’s unclear at this time whether the attackers have followed through on these “generous” promises.
  • Following the publication of Sophos’ findings, security researchers informed ZDNet that MegaCortex differs from previous “targeted ransomware attacks” in that it doesn’t rely on brute-forcing RDP endpoints or dropping ransomware as a second-stage payload through Emotet, Trickbot or Qbot. Instead it makes its way onto an attacked network through a malware loader called Rietspoof.
  • Apparently, at least one attack occurred after bad actors stole an administrators’ credentials. They then leveraged that information to trigger the attack on a domain controller found inside the targeted enterprise network.

Connections to Another Threat

The fact that at least one MegaCortex infection involved a domain controller is significant, as it links this threat to another piece of malware: LockerGoga, the ransomware family which disrupted operations at aluminum firm Norsk Hydro. Like MegaCortex, attackers used a compromised domain controller to push out LockerGoga onto targeted machines. The similarities don’t stop there, either. As reported by Dark Reading, both threats share at least one command-and-control (C&C) address as well as a near-identical batch file, for instance. They’re also two of the only threats that rename files they plan to encrypt before they encrypt them.
Notwithstanding these similarities to LockerGoga, MegaCortex’s origins are still unknown.

Using Email Security to Defend Against MegaCortex

One of the easiest ways by which an attacker can set themselves up to steal admin credentials, compromise a domain controller and ultimately deploy MegaCortex is for them to establish an initial foothold on the network using a phishing attack and then move laterally. This reality highlights the need for organizations to defend themselves against email-borne threats with the help of a multi-layered solution that scans incoming messages for well-worn attack patterns, malicious URLs, known malware signatures and other indicators. The tool should conduct this analysis in real-time while allowing legitimate correspondence to pass through.
Defend against sophisticated ransomware like MegaCortex using ZixProtect.