MegaCortex is a relatively new ransomware family that keeps the 2019 trend of risk actors developing ransomware particularly for targeted attacks on enterprises.
First Week of June 2019, analysis of the MegaCortex Ransomware when a sample was found with the aid of the MalwareHunter Team. Along with this sample, thru got here a wave of assaults that affected many organizations.
How does MegaCortex Ransomware Work
The attackers were getting access to a community after which compromising the Windows area controller.
Once the domain controller became compromised the attackers would deploy Cobalt Strike so as to open a reverse shell lower back to the attackers.
After getting access to the domain controller, the attackers configured it to distribute a batch record, a renamed PsExec, and winnit.Exe, which is one of the major executables of the malware, to the rest of the computer systems at the network.
When launching the winnit.Exe executable, a particular base64 encoded string would need to be furnished so as for the ransomware to extract and inject a DLL into memory.
After this step, they run the batch document remotely. This record will terminate Windows strategies as well as stop and disable services so as to intrude on the ransomware’s routines.
The stated DLL is the one accountable for record encryption. It then will check whether the document is accessible for it to be encrypted and if now not accessible after numerous attempts this may be logged on C:oz_nqjjp.Log
Once the ransomware system is activated, it creates these files:
The ******** are 8 random characters that are identical for the three files at the affected system. These names are also stated within the ransom notice called !!!_READ_ME_!!!.Txt.
The ransom word, the log record, and the tsv record are all located within the root drive. The dll, on the opposite hand, can be found within the %temp% folder.
The encrypted documents are given the extension.Aes128ctr. The encryption ordinary skips files with the extensions:
The habitual also skips the documents:
It additionally skips all of the files and subfolders under %windir%, with the exception of %windir%temp. In addition, MegaCortex deletes all of the shadow copies at the affected system.
After the encryption recurring is complete, MegaCortex displays this alternatively theatrical ransom observe, high on drama and low on grammatical correctness.
As the ransomware encrypts a file it’s going to append the.Megac0rtx extension to the encrypted record’s name. For example, test.Jpg could be encrypted and renamed to test.Jpg.Megac0rtx.
Each report that is encrypted, may also encompass the MEGA-G8=.
As it’s encrypting, the ransomware will also create a log report at C:x5gj5_gmG8.Log to be able to comprise a listing of files that could not be encrypted by the ransomware.
When completed encrypting files the ransomware will create a ransom word named !!!_READ-ME_!!!. Txtand saves it at the sufferer’s desktop. This ransom observe includes emails that the sufferer can use to contact the attackers to discover charge instructions. The observe states that ransom amounts range anywhere from 2-3 bitcoins to 600 BTC.
During its execution, the ransomware may even delete Shadow Volume Copies using the vssadmin delete shadows /all /for=C: command.
In addition, Kremez informed BleepingComputer that there are references to the Windows Cipher /W: command, that is used to overwrite deleted statistics so that it can’t be recovered using document restoration software.
Recommended safety for MegaCortex
They’re still seeking to broaden a clearer photo of the infection procedure, however, for now, it appears that there’s a sturdy correlation among the presence of MegaCortex, and pre-existing, ongoing contamination at the victims’ networks with both Emotet and Qbot. If you are seeing alerts approximately Emotet or Qbot infections, those must take a high priority. Both of those bots may be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start.