- It is reported that the attackers spread this ransomware mainly using Windows domain controllers in the victim’s network.
- Furthermore, the group used a mix of automation tools and manual components in order to deploy the ransomware to a large number of victims.
A new ransomware has been discovered this past week. Known as ‘MegaCortex’, the ransomware targeted victims across the US, Italy, Canada, Netherlands, Ireland, and France. The victims were predominantly corporate networks. According to security firm Sophos, which discovered this ransomware, the attackers highly employed automation and a number of tools to propagate the ransomware in large numbers.
What is MegaCortex?
- In a blog, Sophos indicated that the creators behind MegaCortex used a common red-team attack tool script. This was to invoke a reverse shell known as ‘meterpreter’ in the victim’s environment.
- The reverse shell is leveraged for an infection chain that uses PowerShell scripts, batch files and commands to drop secondary malware payloads.
- In one of the attacks reported, a Windows domain controller of an enterprise network was used to initiate the attack.
- The ransom note appears in the root of the victim’s hard drive as a plain text file. The note imitates the Matrix movie references.
- As of now, 76 attacks have been confirmed by Sophos. Around 47 of them occurred in a span of 48 hours.
The blog also shed light on how MegaCortex might probably be linked with the well-known Emotet and Qbot malware.
“Right now, we can’t say for certain whether the MegaCortex attacks are being aided and abetted by the Emotet malware, but so far in our investigation (which is still ongoing as this post goes live), there seems to be a correlation between the MegaCortex attacks and the presence on the same network of both Emotet and Qbot (aka Qakbot) malware,” the researchers suggested.