MegaCortex, The New Entrant In The List of Ransomware
Sophos, the UK Security company detected the presence of the latest ransomware called MegaCortex, which is relatively small, but has increased in volume since May 1.
Sophos has detected the emergence of MegaCortex in the US, Canada, Argentina, Italy, the Netherlands, France, Ireland, Hong Kong, Indonesia, and Australia.
This ransomware has a manual components that resemble Ryuk and BitPaymer, but criminals behind MegaCortex use more automated tools to launch attacks.
To date, we have seen automatic attacks, manual attacks, and joint attacks that tend to use manual hacking techniques to move laterally; with MegaCortex, it was noted that the usage that tends to automatic attacks combined with components. This new formula is designed to spread the infection to more victims and faster.
According to Sophos, MegaCortex Ransomware wants to be the one that there is no explicit value for ransom requests in ransom records. The ransom note from the attacker asks the victim to email them to files from random computers and the harddrive path, and they will decrypt it. The cybercriminals also guarantee that one paid your company will not be bothered by us, and you will continue their consultation on how to improve your company’s cybersecurity.”
It turns out that there is a strong correlation between the presence of MegaCortex, and what was before, which still affects the network of victims, both with Emotet or Qbot. If an IT manager sees a warning about an Emotet or Qbot virus, the warning must get high priority. Both bots can be used to spread malware, and this is probably the way MegaCortex infection starts.
Until now, Sophos has not seen indications that Remote Desktop Protocol (RDP) has been misused to hack into the network, but we know holes in corporate firewalls that generally allow connection to RDP. We prohibit this practice and advise all IT admins who want to do this practice to save RDP machines with VPN. Because attacks indicate that administrative passwords have been misused by cybercriminals, we also recommend the spread of adoption of two-factor authentication as much as possible.
Regularly backing up your important and new data on an offline storage device is the best way to avoid the obligation to pay a ransom. Use anti-ransomware protection such as Sophos Intercept X, to block MegaCortex and other ransomware in the future.
Sophos Senior Security Adviser John Shier suspects this is a “jumbo package” of script kiddie / living-off-the-land and is a good example of what has recently been referred to as cybercriminal penetration testing.
The MegaCortex attacker has used a combined threat approach and raised it to 11 by increasing the number of automatic components in attacking the victims.
“Once they get your IT admin credentials, no one can stop their attacks. Launching attacks from your own residential controls is a great way for attackers to get the authority they need to have a comprehensive impact on an organization. Organizations must pay attention to security controls basic and conduct security checks, before the criminals control it, to prevent attackers like this from sneaking in, “he said.