[BreachExchange] MegaCortex Ransomware Demands Millions From Victims

Destry Winant destry at riskbasedsecurity.com
Mon Aug 12 10:20:04 EDT 2019


A new strain of ransomware called MegaCortex is beginning to fill part
of the void left by GandCrab and other variants that have been
discontinued, targeting large corporations with huge ransom demands,
according to a new analysis released Monday by Accenture's iDefense.

In some cases, the authors of MegaCortex are demanding as much as $5.8
million in ransom, although it's not clear if any victims have paid
that amount, says Leo Fernandes, senior manager for malware analysis
and countermeasures at iDefense.

The research analysis published Monday also finds that an updated
version of MegaCortex has been spotted in the wild with new features
to help avoid detection and give it the ability to spread faster and

All this points to a sophisticated campaign that is targeting
businesses, Fernandes says.

"MegaCortex is well written and not a copy-cat of other ransomware
families that normally target home users," Fernandes tells Information
Security Media Group. "Despite using a different programming language,
MegaCortex uses some features and design choices that are more in line
with Goga [ransomware] than other families. However, there are also
differences that make it hard to draw the conclusion that they stem
from the same group.

Early Victims

In July, online cloud hosting provider iNSYNQ was hit by
crypto-locking malware that the company's CEO later identified as

Earlier, in May, accounting software giant Wolters Kluwer was also hit
by a malware attack that some employees speculated on chat boards was
MegaCortex, but the company has not revealed details (see: Malware
Knocks Out Accounting Software Giant Wolters Kluwer).

Version 2

Sophos and other security researchers first took notice of MegaCortex
in early January, with a significant uptick starting around May 1.

In some cases, researchers at Malwarebytes say, MegaCortex, which is
written in the C++ programming language, likely spreads through a
Trojan downloader such as Qbot or Emotet.

And while still relatively new compared to other ransomware, it now
seems that a second version of MegaCortex is circulating, according to
the iDefense analysis.

Fernandes notes in his blog post that in the original version of
MegaCortex, creators protected the main payload of the ransomware by
using a custom password that was only available during a live
infection. While that helped hide certain aspects of the malware from
researchers, it also limited the scope of the attacks, because a good
deal of manual work was needed.

"The password requirement also prevented the malware from being widely
distributed worldwide and required the attackers to install the
ransomware mostly through a sequence of manual steps on each targeted
network," Fernades says.

In the updated version of MegaCortex, Fernandes and his team note,
this password protection has been removed. Instead, the password is
now hard-coded within the binary of the malware itself, meaning that
it can now self-execute and install the payload on its own.
Additionally, the authors of this new version included a number of
features to avoid detection, according to the analysis.

These features and updates can allow the creators behind the
ransomware to spread it through an email phishing campaign or deliver
it as a second-stage attack attached to other malware, such as a
Trojan, the analysis finds.

"The changes in version 2 suggest that the malware authors traded some
security for ease of use and automation," Fernandes notes. "With a
hard-coded password and the addition of an anti-analysis component,
third parties or affiliated actors could, in theory, distribute the
ransomware without the need for an actor-supplied password for the

Corporate Targets

Over the last several months, many ransomware attacks have focused on
cities and other units of government, including Lake City, Florida,
and Baltimore, which suffered its second ransomware attack in two
years (see: More US Cities Battered by Ransomware).

Ransomware attackers continually change tactics. For example, strains
such as the GandCrab ransomware-as-service offering have been shelved
by its authors, and newer variants, such as Sodinokibi, Ryuk, Dharma
and Phobos, have been introduced, according to security analysts (see:
Ransomware: As GandCrab Retires, Sodinokibi Rises).

The creators of MegaCortex apparently designed the ransomware to
target enterprise victims with high ransom demands, according to the
iDefense analysis. From what researchers have seen during incidents in
North America and Europe, where corporate networks and servers have
been targeted and files encrypted, the attackers have asked for
payments ranging from two to 600 bitcoins, or from $20,000 to $5.8
million, the iDefense analysis found.

"The threat actors state in their ransom note 'We are working for
profit. The core of this criminal business is to give back your
valuable data in the original form (for ransom of course).' So, it is
clear that the actors behind MegaCortex are targeting corporations
instead of home users," Fernandes notes.

Fernandes says it's not clear why the authors of MegaCortex decided to
focus on enterprises while other ransomware attackers have targeted
governments. The likely answer is that large companies have the
resources to pay bigger ransoms.

"One could speculate that large organizations would be more willing or
afford to pay for a large ransom request than a small city government
would, but this is really only a possibility among others," Fernandes
tells ISMG. "It is possible that attackers believe that targeting
government agencies may attract more law enforcement attention than
targeting corporations. These ransomware attacks are targeted to a
certain extent, but also opportunistic in nature. These criminal
organizations are after easy money and will most likely not care where
it is coming from."

More information about the BreachExchange mailing list