Elusive MegaCortex Found – Here is What We Know (Jul 19, 2019)
A sample of ransomware called “MegaCortex,” first found by Sophos researchers in May 2019 being used in targeted attacks, has been analyzed by security researchers MalwareHunterTeam and Vitali Kremez. The researchers found that this sample was signed with a certificate from a UK company called “ABADAN PIZZA LTD.” It is likely that the company abandoned the certificate that was then “claimed by the attackers under their own aliases in order to purchase a certificate.” The actors have also updated this MegaCortex variant no longer requires “a special base64 encoded string for the DLL payload to be unpacked and injected into memory.” These changes indicate that the threat actors utilizing MegaCortex are aiming to improve the malware by making it appear like legitimate software and making the executable more simple to run and begin encrypting the infected machine.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors. The actors demand $500 USD for a decrypter and threatens that the price can rise up to 600 Bitcoin.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.