A new variant of MegaCortex ransomware is making its way across Europe and the United States, leaving blackmail demands worth millions in its wake.
Accenture iDefense researchers described campaigns making use of MegaCortex v.2 in a blog post on Monday. According to Leo Fernandes, Senior Manager of the Malware Analysis and Countermeasures (MAC) team, the operators behind the ransomware are focusing on corporate targets -- and are in it to hit the criminal jackpot.
Originally, MegaCortex contained a payload protected by a password only made available during a live infection. The researchers say this feature did make reverse-engineering more difficult, but also made widespread distribution a challenge as operators would need to monitor infection and manually finish up once the damage was done.
Now, in the new version of MegaCortex, the malicious code self-executes and the live password requirement has been quashed; instead, the password is now hard-coded.
There is also a range of other changes which Accenture says can be considered a trade of "some security for ease of use and automation." These include a switch from the manual execution of batch files to automatically kill and stop antivirus solutions and other PC processes.
In addition, the main payload was once executed by rundll32.exe and is now decrypted and executed from memory.
After infection, the malware performs a scan on the infected system and compares running processes to a 'kill' list, in order to terminate anti-analysis software. A list of drives is then drawn up and files are encrypted with the extension .megacortex. Shadow files are deleted and the ransom message is dropped in the C:\ directory.
An RSA public key, hardcoded into the malware, is used to encrypt files.
MegaCortex ransom demands have ranged from two to 600 Bitcoins, or roughly $20,000 to $5.8 million. The ransom note says, in part:
"We are working for profit. The core of this criminal business is to give back your valuable data in the original form (for ransom of course). We don't do charity!"
"With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation," the researchers say. "Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through email campaigns or dropped as secondary stage by other malware families."
How to discover and destroy spyware on your smartphone (in pictures)