MegaCortex ransomware slams enterprise firms with $5.8 million blackmail demands

New malware strains are hitting enterprise companies in Europe and the US.
Written by Charlie Osborne, Contributing Writer

A new variant of MegaCortex ransomware is making its way across Europe and the United States, leaving blackmail demands worth millions in its wake. 

Accenture iDefense researchers described campaigns making use of MegaCortex v.2 in a blog post on Monday. According to Leo Fernandes, Senior Manager of the Malware Analysis and Countermeasures (MAC) team, the operators behind the ransomware are focusing on corporate targets -- and are in it to hit the criminal jackpot. 

During recent, targeted attacks, the operators of the C++ malware have focused on infiltrating servers containing corporate resources in order to encrypt them and any connected network hosts.

Malwarebytes believes that Qbot, Emotet, and Rietspoof Trojans may have a hand in distributing the malware. Other security experts have tracked the ransomware through Rietspoof loaders.

See also: DealPly adware abuses Microsoft, McAfee services to evade detection

Originally, MegaCortex contained a payload protected by a password only made available during a live infection. The researchers say this feature did make reverse-engineering more difficult, but also made widespread distribution a challenge as operators would need to monitor infection and manually finish up once the damage was done. 

Now, in the new version of MegaCortex, the malicious code self-executes and the live password requirement has been quashed; instead, the password is now hard-coded. 

There is also a range of other changes which Accenture says can be considered a trade of "some security for ease of use and automation." These include a switch from the manual execution of batch files to automatically kill and stop antivirus solutions and other PC processes.  

CNET: US military reportedly testing surveillance balloons in Midwest skies

In addition, the main payload was once executed by rundll32.exe and is now decrypted and executed from memory. 

After infection, the malware performs a scan on the infected system and compares running processes to a 'kill' list, in order to terminate anti-analysis software. A list of drives is then drawn up and files are encrypted with the extension .megacortex. Shadow files are deleted and the ransom message is dropped in the C:\ directory.

An RSA public key, hardcoded into the malware, is used to encrypt files.

MegaCortex ransom demands have ranged from two to 600 Bitcoins, or roughly $20,000 to $5.8 million. The ransom note says, in part:

"We are working for profit. The core of this criminal business is to give back your valuable data in the original form (for ransom of course). We don't do charity!"


TechRepublic: Top 10 IoT security risks for businesses

"With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation," the researchers say. "Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through email campaigns or dropped as secondary stage by other malware families."

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards