MegaCortex Ransomware: The Cyber-Threat Looming Over Corporate Networks

[harlan4096]

MegaCortex Ransomware Has Been Targeting Businesses Since January 2019. Learn How to Protect Your Enterprise from It.

Cybercriminals only want one thing these days, and that thing is substantial payouts. This is why most hackers focus on big game hunting, directing the vast majority of their efforts towards company networks rather than individual home users. MegaCortex ransomware is one digital threat with this particular MO, and a rather dangerous one at that.
 
In the following lines, I will go into what MegaCortex ransomware is and what separates its two known versions from one another. A technical analysis will ensue afterward, followed by actionable advice on how to prevent an attack. So, without further ado, let’s get down to business.

What is MegaCortex Ransomware?

MegaCortex ransomware is a malware strain that initially appeared in January 2019 and was reportedly first announced by ransomware hunter Michael Gillespie on Twitter in May of the same year. Operators employ an assortment of manual and automated components to infect as many devices as possible.

Corporations are MegaCortex ransomware’s primary target, not individual home users. File encryption, information theft, and disabling user access rights are among this ransomware’s main capabilities. Two variants have been identified and analyzed thus far.

MegaCortex Ransomware Version 1

A few thought-provoking characteristics set MegaCortex ransomware version 1 apart from other cyber-threats. For one, its payload contains a signed executable file. What is more, hackers offer their victims security consulting services as part of the attack. As per findings cited by a Bleeping Computer article in July 2019, MegaCortex ransomware targets networks that have already been infected with infamous Trojans such as Emotet and Qakbot.

The first MegaCortex ransomware version was designed to protect itself, requiring a password in the command-line arguments to function properly. This made it difficult for cybersecurity researchers and vendors to analyze and reverse engineer the strain unless the credentials were captured during the infection’s deployment.

MegaCortex Ransomware Version 2

In another Bleeping Computer article from November 2019, cybersecurity author Lawrence Abrams stated that prior corruption by malware is what allows the ransomware operators to easily access a company’s systems. In the same post, the discovery of MegaCortex ransomware version 2 was publicized.

Accenture Security analyzed a sample of MegaCortex ransomware version 2, highlighting the difference between it and version 1. While the password protection discussed in the previous section made the initial variant harder to pin down, it also prevented operators from succeeding in large-scale infections.

Its genetic makeup made it mandatory for the ransomware to be deployed manually, or else risk that the password is leaked.

This was corrected in version 2 with a redesign that restructured MegaCortex ransomware and allowed it to self-execute. Moreover, Lawrence Abrams has underlined that the updated variant changes the victims’ Windows passwords and steals copies of their data, threatening to make them public if the ransom is not paid.

MegaCortex Ransomware AnalysisThere are a few technical telltale signs that can reveal whether or not your network has fallen victim to a MegaCortex infection. In the following subsections, I will present the ransom note for each variant, as well as further indicators of compromise (IoCs) to help you identify an attack promptly if the worst-case scenario occurs.

MegaCortex Ransomware Note

Upon encryption, MegaCortex ransomware creates a ransom note on the infected device titled !!!_READ_ME_!!!.txt. Michael Gillespie reproduced the version 1 text of the note in a Pastebin.com link included in his tweet revealing the then-new strain:
 

Your companies cyber defense systems have been weighed, measured and have been found wanting. The breach is a result of grave neglect of security protocols. All of your computers have been corrupted with MegaCortex malware that has encrypted your files.

We ensure that the only way to retrieve your data swiftly and securely is with our software. Restoration of your data requires a private key which only we possess. Don’t waste your time and money purchasing third party software, without the private key they are useless.

It is critical that you don’t restart or shutdown your computer. This may lead to irreversible damage to your data and you may not be able to turn your computer back on.

To confirm that our software works email to us 2 files from random computers and C:\fracxidg.tsv file(‘s) and you will get them decrypted. C:\fracxidg.tsv contain encrypted session keys we need in order to be able to decrypt your files.

The softwares price will include a guarantee that your company will never be inconvenienced by us. You will also receive a consultation on how to improve your companies cyber security. If you want to purchase our software to restore your data contact us at:

shawhart1542925@mail.com
anderssperry6654818@mail.com

We can only show you the door. You’re the one who has to walk through it.

With version 2 of MegaCortex ransomware, the ransom note changes slightly to accommodate the updates brought to the strain. You can see the reimagined text in the image below of the document now titled !-!_README_!-!.rtf, courtesy of Bleeping Computer.
...

Continue Reading