Several security teams have recently discovered the scariest new strain of highly-sophisticated ransomware called MegaCortex. Although this new strain sounds like something out of this world, MegaCortex is a purpose-built threat used to seek and destroy corporate networks, as a whole. Yes, you read that correctly, ENTIRE NETWORKS. What makes this strain on ransomware so unique, is once penetrated, attackers will begin releasing various payloads, infecting your network by rolling out malware to servers, and workstations using your very own domain controller or “DC,” as many know it today.
These attacks have already been detected in the United States, Italy, Canada, France, and a few other European Union (EU) nations. This comes to many in the cybersecurity community as a recently discovered strain, meaning not much is known about how it’s encryption works, or how they are getting in. Worst of all, we don’t know if the ransom payments are being honored as of yet. This is everything we know about MegaCortex ransomware.
How MegaCortex Strikes
Many security and analytics companies have begun diving deeper into this strain of malware. Findings include similar actions to the RYUK Strain, where attackers use Trojan operators to access infected systems. What this means specifically is, if Emotet or Qakbot Trojans have been present on network devices, there is a growing concern, this could be potential network backdoors.
How MegaCortex Uses Your Own Domain Controllers
Although this case isn’t clear how the bad guys are getting into your network, many victims have reported numerous attacks originating from a compromised domain controller. On the domain controller, Cobalt Strike is being dropped and executed to create a reverse shell back to an attacker host.
Using this shell, attackers take control of your domain controller configuring and distributing a copy of the malware executable and batch-files across your network. This file then executes 44 different processes, including disabling Windows Services.
During the encryption of your system, ransomware will append extension file names, including “.aes128ctr.” We do not know if these extensions are static or created dynamically by each infection, including a secondary payload.
Secondary Payload? What Gives?!
In an effort to deliver the most accurate information, security researchers have also identified what would appear to many as a Secondary Hit, or Secondary Main Component. In plain-English, this means its delivery system is multi-staged and uses multiple payloads on a single device. We are still unclear at this time if the malware is dropping MegaCortex or if it’s maliciously installed.
How to Block MegaCortex Infections All Together
It’s recommended for many and Clare Computer Solutions’ best practice to have a weapons-grade backup solution, either off-site or in the cloud. As many strands of ransomware target these backups first, and foremost.
In this article “Locking it Down: Remote Desktop Protocol,” we highlighted the need for many businesses’ to secure RDP Services that are publicly accessed via the internet. If your machine MUST run RDP, make sure it’s placed behind a firewall, and only made accessible via a VPN tunnel.
Although this ransomware isn’t being spread by email spam, it’s possible the Trojans listed above, can and will. That is why it’s crucial to always identify and inform you of this phishing, and social engineering attacks, to build greater awareness.
Does It Feel like I’m Speaking Another Language?
If you’re unsure where to begin, our security specialists can help! With over 30 years of experience in information technology, our staff knows what it takes to meet security standards. Get ahead of the bad guys, with a Security Posture Evaluation.