Delaware, USA – August 6, 2019 – MegaCortex ransomware is rapidly evolving reducing the number of manual operations to a minimum. A couple of weeks ago, the first significant step was taken to simplify the infection process when malware authors compiled files the necessary for infection into a single signed executable. The new version of the malware has come close to being distributed by third parties or affiliates. Accenture experts analyzed fresh samples and found that the adversaries removed the password requirement for installation. Earlier versions of MegaCortex ransomware were password protected and required manual actions to start the infection. This, as well as the use of multiple files to load the main component, allowed the malware to remain undetected until it’s too late, but also made each attack significantly more time-consuming. Now the required password is hard-coded in the executable, so any adversaries can initiate the encryption process. Experts suggest that such changes will increase the number of attacks using this ransomware family. In addition, the anti-analysis features and the ability to find and stop various security-related processes can lead to the spreading of MegaCortex in spam campaigns or as additional payload for widespread Trojans.
Now MegaCortex ransomware is used to attack corporate networks in Europe and North America. Adversaries infiltrate the network through a system infected with Qakbot or Emotet malware, compromise the Domain controller, from where they send a malicious executable to all systems in an attacked organization.
Content to spot traces of the malware:
MegaCortex Malware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2266/
Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/1279/
Qakbot Malware Detector (Sysmon Behavior) (July 2019 findings) – https://tdm.socprime.com/tdm/info/2318/
Qakbot New Obfuscation Techniques – https://tdm.socprime.com/tdm/info/2232/