New Version of MegaCortex Ransomware Targets Business Disruption


New Version of MegaCortex Ransomware Targets Business Disruption (Aug 5, 2019)

IDefence engineers have identified an updated version of the “MegaCortex” ransomware. MegaCortex is a particularly dangerous ransomware because it has caused significantly expensive incidents across various industries in Europe and North America. The original version of the ransomware had its main payload protected by a custom password that was only available during live infection. This new version can self-execute, and the requirement of a password for installation has been hard-coded in the binary. MegaCortex authors have incorporated some anti-analysis features within the malware module and the functionality to stop a wide range of security products and services, all of which were previously manually executed. The actors behind MegaCortex are believed to be targeting corporations, and those involved with recent activity have not yet been disclosed. Ransom notes request between two and 600 bitcoin, worth approximately $22,715 and $6,814,680USD as of this writing, leading researchers to believe that the actors behind MegaCortex are targeting corporations instead of home users.

Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.