Published 16 Nov 2019

A fresh incarnation of the MegaCortex ransomware has appeared online that functions in a different manner. Like most ransomware, it encrypts the user’s data, but it also changes the password of the user and threatens to publish the data if the ransom is not paid.

MegaCortex is a targeted ransomware that relies on first gaining network access through a trojan like Emotet. Post-exploitation kits, or an active directory controller, are then used to distribute the ransomware to machines in the network.

Once this new version of MegaCortex is deployed on a targeted machine, it executes three signed CMD scripts that in turn run DLL files through the Rundll32.exe process to seek out files and encrypt them. It then uses the cipher command to securely erase free space on the C: drive, making any data recovery challenging at best, before changing Windows’ legal message and cleaning up the encryption files.

It then places a rich text document on the user’s desktop that begins as follows:

“Your company's network has been breached and infected with MegaCortex Malware. All of your user credentials have been changed and your files have been encrypted. We ensure that the only way to retrieve your data swiftly and securely is with our software. Restoration of your data requires a private key which only we possess. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. After receiving payment we will provide you with the decryptor including its full source code and credentials to your computers.”

The note adds that the data has been uploaded to a secure location and threatens to publish it if the ransom is not paid. Researchers originally speculated that this may be an empty threat, as is not untypical with ransomware. Further investigation, however, revealed that the user’s password was indeed changed, lending some credence to the threat.

This represents a worrying development, because it potentially transforms a ransomware infection, which can already be devastating, into a data breach. Depending on the nature of the compromised data, this could involve confidential business data or personal details being published, leading to reputational loss and possible consequences for the General Data Protection Regulation (GDPR). This also means that even businesses that have complete backups and disaster recovery solutions may be tempted to pay the ransom rather than have their data released to the public.

The certificate used to sign the malware has since been revoked, which should help limit this particular instance. Unfortunately, it is all too possible that future ransomware attacks may adopt a similar approach.

It is becoming increasingly clear that cybercriminals are not going anywhere, and if anything, their techniques are getting more sophisticated and their threats are becoming increasingly more aggressive. At Pro-Networks, with our managed IT support services, we can help you formulate an effective, multi-layered cybersecurity solution that will help protect your organisation from cybercrime, all within a suitable budget.

 

Please share this post using any of the following share buttons.

Read similar posts to this article

Cybercriminals extorting millions t...

Save money by saying no to ransoms,...

NCSC launches online scam reporting...