Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:10 AM
Larry Loeb
Larry Loeb
Larry Loeb

'MegaCortex' Ransomware Hunts 'Big Game' Enterprise

They aren't looking for a lot of little hits. They want treasure.

Recently, ransomware aimed at individuals has receded from last year's high levels. But that doesn't mean that it has gone away.

The UK's Sophos Labs has found that a new strain of this malware, MegaCortex, has just popped up during late January in enterprise networks located in Italy, the US, Canada, the Netherlands, Ireland and France, with an attack campaign using a strategy of "big game hunting."

The major change in focus of the ransomware is that they eschew mass, spammy campaigns in favor of a targeted attack. They aren't looking for a lot of little hits. They want treasure. Ryuk, Bitpaymer, Dharma, SamSam, LockerGoga and Matrix all use the same philosophy so it's a popular one.

This strain onboards in a way that is complicated and sophisticated.

Sophos explains it this way: the infection "leverages both automated and manual components, and appears to involve a high amount of automation to infect a greater number of victims. In attacks we've investigated, the attackers used a common red-team attack tool script to invoke a meterpreter reverse shell in the victim's environment. From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initial dropped malware) on specified machines."

But there are 76 confirmed attacks thus far since February, with 47 of those (or about two thirds of the known incidents) happening on Monday and Tuesday of this week. The complicated approach seems to work. Each attack targeted an enterprise network and may have involved hundreds of machines.

Brandon Levene, head of applied intelligence at Chronicle (VirusTotal's parent company) has his own ideas about the malware's origins. He told Security Now in a statement that, "While there are no earlier samples of MegaCortex available, the same signer certificate (CN) is used in both the Rietspoof loader and MegaCortex samples dating back to at least Jan. 22, 2019. This means it is highly likely that the people using Rietspoof with that signature are also using MegaCortex. I can't say definitively that the same threat actors are behind both Rietspoof and Megacortex, but this finding solidifies a correlation."

Sophos also doesn't have all the paths of the situation neatly tied into bows either. They admit that, "Right now, we can't say for certain whether the MegaCortex attacks are being aided and abetted by the Emotet malware, but so far in our investigation (which is still ongoing as this post goes live), there seems to be a correlation between the MegaCortex attacks and the presence on the same network of both Emotet and Qbot (aka Qakbot) malware."

But both of those can download/drop other malware.

Surprisingly, the attack that Sophos has details on was initiated from a compromised domain controller, not from the Internet. This may have resulted from a straightforward hijacking or credential stuffing that the attackers undertook to gain access to the device. But what ransom is sought after all this fuss? It depends, it seems. The ransom note is non-specific, trying rather to set up an introductory appointment so they can pitch you their skillzz. And they will pinky-swear that they won't do nasty stuff like this again to you. Really.

I wonder who got the idea that malware could be a vCard at the same time?

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.