Delaware, USA – July 22, 2019 – The threat actor behind the frequent Megacortex ransomware attacks continues to work on malware increasing its effectiveness in infecting corporate networks. The victims of this ransomware strain are usually also infected with Emotet or Qakbot malware, and it can be assumed that the initial compromise of the organization lies on operators of trojans. After accessing the system, Megacortex’s authors attack the domain controller to install Cobalt Strike and gain complete control over the network. After that, in past attacks, cybercriminals used PsExec to send a set of files to all systems on the network, including winnit.exe, which was used to load into memory a malicious DLL. The more complex the chain of attack, the greater the chance that something will go wrong, so the newly discovered version of Megacortex is significantly different from previous ones. Now the attackers send and run a single signed executable, which, after starting, stops a series of processes and begins to encrypt files. Also, the ransomware deletes shadow volume copies and overwrites deleted data to prevent their recovery. After the process is completed, Megacortex creates a ransom note, warning that the cost of data decryption is 2-600 bitcoins depending on the size of the organization.
This summer, the threat of ransomware attacks keeps the security teams of companies and public organizations in suspense. Last week, the iNSYNQ cloud hosting provider fell victim to a new ransomware strain, and the company is still restoring customer data from backups. Also, Ryuk cybergang conducted a series of successful attacks: Town of Collierville computer systems were locked, as well as libraries of Onondaga County (OCPL), New York and Syracuse City School District.
Content available on Threat Detection Marketplace:
MegaCortex Malware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2266/
Ryuk Ransomware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2298/
Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/1279/
Qakbot New Obfuscation Techniques – https://tdm.socprime.com/tdm/info/2232/