Sophos Exposes MegaCortex Ransomware; a New Malware Targeting Businesses Around the World

Sophos, a global leader in endpoint and network security, has released a detailed malware analysis of a new ransomware called MegaCortex Ransomware. According to an analysis contained in the SophosLab Uncut article, this new ransomware majorly comes after businesses and enterprises.

“MegaCortex was a relatively little-seen malware that suddenly spiked in volume on May 1,” Sophos research team writes about the ransomware. “Sophos has seen MegaCortex detections in the US, Canada, Argentina, Italy, the Netherlands, France, Ireland, Hong Kong, Indonesia, and Australia.

“The ransomware has manual components similar to Ryuk and BitPaymer, but the adversaries behind MegaCortex use more automated tools to carry out the attack – this is unique.”

The Sophos team also reports that the attacks come in both automated and manual modes, blended to make it effective and spread very fast.

“Up until now, Sophos has seen automated attacks, manual attacks and blended attacks, which typically lean more towards using manual hacking techniques to move laterally; with MegaCortex, Sophos is seeing heavier use of automation coupled with the manual component.”

Sophos Research Team.

According to the report, this new formula is designed to quickly spread the infection to more victims.

How MegaCortex cybercriminals operate

The SophosLabs Uncut article explained how the attackers operate thus: They invite victims to email them on either of two free mail.com email addresses and send along a file that the ransomware drops on the victim’s hard drive to request decryption “services.” 

The ransom note also promises the cybercriminals “will include a guarantee that your company will never be inconvenienced by us,” if the victims pay the ransom, and continues, “You will also receive a consultation on how to improve your companies cyber security.”

This, the article notes, is intended to make MegaCortex MegaCortex Ransomware ‘The One’ as there is no explicit value for the ransom demand in the ransom note.

How businesses could protect themselves

To help businesses protect themselves, Sophos recommends the following measures:

1. It appears that there’s a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims’ networks with both Emotet and Qbot. If IT managers are seeing alerts about Emotet or Qbot infections, those should take a high priority. Both of those bots can be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start.
2. Sophos has not seen any indication so far that Remote Desktop Protocol (RDP) has been abused to break into networks, but we know that holes in enterprise firewalls that allow people to connect to RDP remain relatively common. We strongly discourage this practice and suggest that any IT admin who wishes to do this put the RDP machine behind a VPN
3. As the attack seems to indicate that an administrative password was abused by the criminals, we also recommend the widespread adoption of two-factor authentication wherever possible
4. Keeping regular backups of your most important and current data on an offline storage device is the best way to avoid having to pay a ransom 
5. Use anti-ransomware protection, such as Sophos Intercept X, to block MegaCortex and future ransomware

Commenting on the study, Sophos Senior Security Advisor John Shier decribed MegaCortex Ransomware attacks as a good example of ‘cybercriminal pen-testing’.

He noted that The MegaCortex Ransomware attackers have increased the automated component of their blended approach to target more victims.

“Once they have your admin credentials, there’s no stopping them. Launching the attack from your own domain controller is a great way for the attackers to inherit all the authority they need to impact everything in an organization.

“Organizations need to pay attention to basic security controls and perform security assessments, before the criminals do, to prevent attackers like these from slipping through,” he concludes.