MegaCortex is a ransomware variant employs both automated and manual components in the attempt to infect victims. Threat actors use a common red-team attack tool script to invoke a meterpreter reverse shell in the victim’s environment. Then the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads on specified machines.

Technical Details and Reporting

  • Sophos Labs provide details of this ransomware variant here.

  • Symantec provides technical details here.

  • Malwarebytes provides IOC’s, remediation, and mitigation techniques here.

UPDATE 6/12/2019: A variant identified as Ransom.MegaCortex has continued targeted attacks on global organizations, sharing unique traits with LockerGoga. Attacks spiked in late May but have begun to slow. Researchers suspect propagation is completed through Qakbot (Qbot), Emotet, and Rietspoof (a multi-stage malware that is spread through instant message programs) trojans. Ransom notes are poorly written and tend to include Matrix references.

UPDATE 7/19/2019: A newly discovered sample of the obscure yet perilous MegaCortex Ransomware has been analyzed by researchers. The sample shows that the executable no longer needs a base64 encoded string for the payload to be dropped. This simplification of execution triggers concern that the threat actor is scaling up operations in an attempt to increase victimization.

  • Bleeping Computer provides IOC’s, associated files, and technical details here.

UPDATE 08/05/2019: A new variant of MegaCortex ransomware has been observed flourishing throughout Europe and the US, targeting large corporations. MegaCortex v2 has been redesigned to allow the ransomware to self-execute with a hard-coded password within the binary, removing the need to install the password-protected payload during a live infection. Additionally, v2 incorporates anti-analysis features enabling the malware the function to stop and kill security products and services making this version especially volatile. If threat actors begin incorporating other infection methods e.g., phishing or exploit kits, then ransomware attacks could increase exponentially. ZDNet provides further details here.