Unique MegaCortex ransomware is found targeting Sophos customers

Sophisticated MegaCortex launches attempts against Sophos customers all around the world

In the ransomware field: unique MegaCortex targets Sophos customersSophisticated ransomware named MegaCortex hits Sophos customers worldwide

The operating principle and common features of ransomware viruses are not a secret or jaw-dropping experience for technology experts. Since most of these threats operate in the same way and seak to achieve the same goals, the complexity of a newly discovered ransomware MegaCortex[1] has left a big number of specialists surprised.

The threat was first detected on the 1st of May, this year. Its malicious activity was spotted when numerous Sophos customers worldwide were attacked by MegaCortex ransomware and lost their files. The infection has been found in countries such as The United States, Canada, Australia, Hong Kong, Indonesia, the Netherlands, France, Ireland, Argentina, and Italy.

According to Sophos experts,[2] MegaCortex traces were spotted in the past. Even though major attempts were launched only in May 2019, some malicious samples were found on January 22 when someone from the Czech Republic uploaded the sample to Virus Total. Additionally, security experts received some malware-related reports in February but no serious attacks were launched until now.

Similarities with Ryuk and BitPaymer ransomware have been discovered in MegaCortex

Sophos claims that MegaCortex attacks are targeting systems by using a mixture of automatical and manual techniques. During the investigation, specialists found that such automatical-manual method allows the criminals to spread malicious payload faster to a bigger number of victims worldwide. Also, the malware's manual components have similar features with other widely-known viruses such as BitPaymer and Ryuk.

MegaCortex ransom note, called !!!_READ_ME_!!!.txt, does not provide any particular details about the ransom price that should be paid to unlock encrypted documents and files. Rather than urging for a certain amount of ransom, crooks have been manipulating with other offers.

According to the ransom note, the victim is supposed to send a particular ransom file via one of the two given email addresses as an answer to their payment request. Additionally, the ransom message includes odd promises that are given by the crooks themselves:

<…> will include a guarantee that your company will never be inconvenienced by us <…>

You will also receive a consultation on how to improve your company's cybersecurity.

The file is known to include the .tsv appendix. It is provided as the infectious DLL in the exact unique eight-random-letter filename. The file is typically located in the hard drive of the infected machine.

Emotet and Qbot bots are supposedly the primary distribution sources of the threat

According to technology specialists from Sophos, MegaCortex ransomware is extremely dangerous for various organizations due to its automated components that are supposed to target a significant number of victims and access the computer via admin's credentials. If this happens, the infection can be easily spread to other systems and overtake everything relevant in the attacked organization.

Sophos has been urging companies and home users to pay attention to this new malware approach and gain some basic knowledge on how to decrease the risk of such infection. One of the most attention-bringing things is that MegaCortex has some relations with Emotet[3] and Qbot.[4] In other words, these botnets are probably the main way used by the ransomware to reach the targeted machines and users, so admins should be aware of them.

Furthermore, the company advises keeping all important machines behind a VPN[5] and not an RDP as flaws in enterprise firewalls that give the capability for users to connect to RDP are a common way to infect the target systems. Other advice from Sophos would be to ensure that two-factor authentication[6] is always enabled as MegaCortex seems to be capable of identifying administrative passwords.

Some other basic but helpful solutions would be to store essential files and documents on portable hard drives or remote servers so that the encryption could not affect data. Also, having an antivirus program which includes a ransomware-blocking feature might also help prevent MegaCortex and similar threats from appearing on your computer system.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions