A new variant of MegaCortex ransomware are targeting corporates across Europe and the United States and are sending blackmail demands worth millions. The researchers at Accenture iDefense stated in their blog post regarding campaigns that uses MegaCortex v.2.
According to Leo Fernandes, Senior Manager of the Malware Analysis and Countermeasures (MAC) team, the actors behind the ransomware are focusing on enterprise firms. During recent, targeted attacks, the operators of the C++ malware have focused on infiltrating servers containing corporate resources in order to encrypt them and any connected network hosts.
The Qbot, Emotet, and Rietspoof Trojans is believed to have a role in distributing the malware. Several security experts have tracked the ransomware through Rietspoof loaders.
MegaCortex contained a payload protected by a password only made available during a live infection. According to the researchers, this feature made reverse-engineering more difficult, but also made widespread distribution a challenge as the threat actors need to monitor infection and manually finish up once the damage was done.
In the new version of MegaCortex, the malicious code executes itself and the live password requirement has been revoked and now the password is hard-coded.
Accenture claims that a switch from the manual execution of batch files would automatically kill and stop antivirus solutions and other PC processes. Besides, the main payload was once executed by rundll32.exe and is now decrypted and executed from memory.
After infection, the malware scans the infected system and compares running processes to a ‘kill’ list, in order to terminate anti-analysis software. A list of drives is then drawn up and files are encrypted with the extension .megacortex. Shadow files are deleted and the ransom message is dropped in the C:\ directory.
In order to encrypt the files, an RSA public key, hardcoded into the malware is used.
MegaCortex ransom demands have ranged from two to 600 Bitcoins which comes to around $20,000 to $5.8 million. The ransom note also claims that they do this mainly for profit.
With a hard-coded password and an anti-analysis component, third parties or affiliated actors could distribute the ransomware without the need for an actor-supplied password for the installation.
The researchers state that there could be a rise in the number of MegaCortex incidents if the actors decide to start delivering it through email campaigns or dropped as secondary stage by other malware families.