UK cyber-security firm Sophos reported detecting a spike in ransomware attacks at the end of last week from a new strain named MegaCortex.
Sophos said the ransomware appears to have been designed to target large enterprise networks as part of carefully planned targeted intrusions --in a tactic that is known as "big-game hunting."
The modus operandi is not new and has been the preferred method of delivering ransomware for almost half a year.
MegaCortex now joins an ever-growing list of ransomware strains that cyber-criminal groups are using only in targeted attacks, rather than with spam or other mass deployment techniques. The list includes some recognizable names, such as Ryuk, Bitpaymer, Dharma, SamSam, LockerGoga, and Matrix.
According to a report Sophos released late Friday night last week, MegaCortex was first spotted back in late January, when someone uploaded a sample on malware scanning service VirusTotal.
Since then, the number of attacks has been growing, but they spiked mid last week when Sophos says it detected 47 attacks --accounting for two-thirds of all the 76 MegaCortex attacks the company has seen all year.
Sophos says it blocked the attacks it detected, which originated from enterprise networks located in the United States, Canada, the Netherlands, Ireland, Italy, and France. However, other attacks might have occurred in other places where the UK antivirus vendor had no coverage.
While Sophos was not able to pinpoint with certainty how MegaCortex got on infected hosts, several cyber-security researchers tweeted over the weekend that the ransomware appears to be dropped on attacked networks via a malware loader named Rietspoof.
This is a new approach compared to past "targeted ransomware attacks" that either relied on:
- hacker groups brute-forcing weakly-secured RDP endpoints;
- dropping ransomware as a second-stage payload on workstations previously infected with the Emotet or Trickbot trojans.
But despite the delivery method, MegaCortex appears to be just as dangerous as the other "big-game hunting" ransomware strains, with hackers quickly escalating their access to a domain controller, from where they try to deploy the ransomware to as many internal workstations as possible.
Since this appears to be a common practice for most ransomware families that are being used in targeted attacks, Sophos researchers recommend that companies adopt two-factor authentication for internal networks, and especially for central management servers.
Victims can recognize the ransomware by the random eight-character extension it adds to encrypted files, but also its ransom note, which is embedded below.