MegaCortex Ransomware Attacks Organizations in Europe and North America

Delaware, USA – May 6, 2019 – Since the beginning of the month, a new player on the ransomware scene has already conducted several dozen attacks on corporate networks. Sophos researchers continue the investigation and report that organizations in the United States, Italy, Canada, France, Ireland, and the Netherlands have become targets of MegaCortex ransomware attacks, although the actual list of attacked organizations may be much longer. The first samples of this new ransomware are traced to the beginning of 2019, but until the beginning of May, it was never used in large-scale attacks. In each case investigated, the organization’s network was also infected with Emotet malware and Qakbot trojan, which allows parallels with the large-scale operations of the Ryuk group also using the services of cybercriminals behind Emotet malware to penetrate the network of organizations. After the initial compromise, adversaries accessed the domain controller using stolen credentials and centrally simultaneously sent several files to all available systems to disable security solutions and encrypt files. Also on the attacked systems, the Rietspoof dropper was discovered, perhaps the cybercriminals behind these infections are preparing a second wave of attacks.

A successful attack on the domain controller allows adversaries to efficiently infect hundreds and thousands of systems in the network of large organizations. Prior to MegaCortex ransomware, this method was used by LockerGoga operators during the attack on Norsk Hydro, which cost the company tens of millions of dollars. Recent studies have shown that the number of ransomware attacks on organizations is growing steadily, along with the time it takes to recover from the attack and the average ransom amount. To visualize Microsoft Windows and Active Directory security events, you can leverage your SIEM with Windows Security Monitor rule pack, which performs statistical analysis and profiling of the events and detects suspicious activity: