MegaCortex is a ransomware variant employs both automated and manual components in the attempt to infect victims. Threat actors use a common red-team attack tool script to invoke a meterpreter reverse shell in the victim’s environment. Then the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads on specified machines.

UPDATE 6/12/2019: A variant identified as Ransom.MegaCortex has continued targeted attacks on global organizations, sharing unique traits with LockerGoga. Attacks spiked in late May but have begun to slow. Researchers suspect propagation is completed through Qakbot (Qbot), Emotet, and Rietspoof (a multi-stage malware that is spread through instant message programs) trojans. Ransom notes are poorly written and tend to include Matrix references.

Technical Details and Reporting

  • Sophos Labs provide details of this ransomware variant here.

  • Symantec provides technical details here.

  • Malwarebytes provides IOC’s, remediation, and mitigation techniques here.