Several security teams have recently discovered the scariest new strain of highly sophisticated ransomware called MegaCortex. Although this new strain sounds like something out of this world, MegaCortex is a purpose-built threat used to seek and destroy corporate networks as a whole. Yes, you read that correctly, ENTIRE NETWORKS. What makes this strain on ransomware so unique is, once penetrated, attackers will begin releasing various payloads, infecting your network by rolling out malware to servers and workstations using your very own domain controller or “DC,” as many know it today.
These attacks have already been detected in the United States, Italy, Canada, France, and a few other European Union (EU) nations. This comes to many in the cybersecurity community as a recently discovered strain, meaning not much is known about how its encryption works or how they are getting in. Worst of all, we don’t know if the ransom payments are being honored as of yet. This is everything we know about MegaCortex ransomware.
How MegaCortex Strikes
Many security and analytics companies have begun diving deeper into this strain of malware. Findings include similar actions to the RYUK Strain, where attackers use Trojan operators to access infected systems. What this means specifically is, if Emotet or Qakbot Trojans have been present on network devices, there is a growing concern: this could be potential network backdoors.
How MegaCortex Uses Your Own Domain Controllers
Although this case isn’t clear how the bad guys are getting into your network, many victims have reported numerous attacks originating from a compromised domain controller. On the domain controller, Cobalt Strike is being dropped and executed to create a reverse shell back to an attacker host.
Using this shell, attackers take control of your domain controller, configuring and distributing a copy of the malware across your network. This file then executes 44 different processes, including disabling Windows Services.
During the encryption of your system, ransomware will append extension file names, including “.aes128ctr.” We do not know if these extensions are static or created dynamically by each infection, including a secondary payload.
Secondary Payload? What Gives?
In an effort to deliver the most accurate information, security researchers have also identified what would appear to many as a Secondary Hit, or Secondary Main Component. In plain English, this means its delivery system is multi-staged and uses multiple payloads on a single device. We are still unclear at this time if the malware is dropping MegaCortex or if it’s maliciously installed.
How to Block MegaCortex Infections All Together
Clare Computer Solutions’ best practice is to have a weapons-grade backup solution, either off-site or in the cloud, as many strands of ransomware target these backups first and foremost.
In the article “Locking it Down: Remote Desktop Protocol,” we highlighted the need for many businesses to secure RDP Services that are publicly accessed via the internet. If your machine MUST run RDP, make sure it’s placed behind a firewall and only made accessible via a VPN tunnel.
Although this ransomware isn’t being spread by email spam, it’s possible the Trojans listed above can and will. That is why it’s crucial to always identify and inform you of phishing and social engineering attacks to build greater awareness.
Does It Feel like I’m Speaking Another Language?
If you’re unsure where to begin, our security specialists can help! With over 30 years of experience in information technology, our staff knows what it takes to meet security standards. Get ahead of the bad guys with a Security Posture Evaluation.