SophosLabs Uncut has released detailed malware analysis of new ransomware, MegaCortex.
According to Sophos, MegaCortex was a relatively little-seen malware that suddenly spiked in volume on 1 May 2019.
Sophos has seen MegaCortex detections in the US, Canada, Argentina, Italy, the Netherlands, France, Ireland, Hong Kong, Indonesia, and Australia.
The ransomware has manual components similar to Ryuk and BitPaymer, but the adversaries behind MegaCortex use more automated tools to carry out the attack – which Sophos believes is unique.
Up until now, Sophos has seen automated attacks, manual attacks and blended attacks, which typically lean more towards using manual hacking techniques to move laterally; with MegaCortex, Sophos is seeing heavier use of automation coupled with the manual component.
This new formula is designed to spread the infection to more victims, more quickly.
As indicated in the SophosLabs Uncut article, “MegaCortex Ransomware Wants to be The One”, there is no explicit value for the ransom demand in the ransom note. The attackers invite victims to email them on either of two free mail.com email addresses and send along a file that the ransomware drops on the victim’s hard drive to request decryption “services”.
The ransom note also promises the cybercriminals “will include a guarantee that your company will never be inconvenienced by us, “if the victims pay the ransom, and continues, “You will also receive a consultation on how to improve your companies cyber security”.
John Shier, senior security advisor at Sophos, comments: “We suspect this is your script kiddie/living-off-the-land ‘mega bundle’ and a good example of what we’ve lately been calling cybercriminal pen-testing.
“The MegaCortex attackers have taken the blended threat approach and turned it up to 11, by increasing the automated component to target more victims. Once they have your admin credentials, there’s no stopping them.
“Launching the attack from your own domain controller is a great way for the attackers to inherit all the authority they need to impact everything in an organisation,” he says.
“Organisations need to pay attention to basic security controls and perform security assessments, before the criminals do, to prevent attackers like these from slipping through.”