MegaCortex Ransomware Demands Millions From VictimsiDefense Researchers Discover an Updated Version
A new strain of ransomware called MegaCortex is beginning to fill part of the void left by GandCrab and other variants that have been discontinued, targeting large corporations with huge ransom demands, according to a new analysis released Monday by Accenture's iDefense.
In some cases, the authors of MegaCortex are demanding as much as $5.8 million in ransom, although it's not clear if any victims have paid that amount, says Leo Fernandes, senior manager for malware analysis and countermeasures at iDefense.
The research analysis published Monday also finds that an updated version of MegaCortex has been spotted in the wild with new features to help avoid detection and give it the ability to spread faster and further.
All this points to a sophisticated campaign that is targeting businesses, Fernandes says.
"MegaCortex is well written and not a copy-cat of other ransomware families that normally target home users," Fernandes tells Information Security Media Group. "Despite using a different programming language, MegaCortex uses some features and design choices that are more in line with Goga [ransomware] than other families. However, there are also differences that make it hard to draw the conclusion that they stem from the same group.
In July, online cloud hosting provider iNSYNQ was hit by crypto-locking malware that the company's CEO later identified as MegaCortex.
Earlier, in May, accounting software giant Wolters Kluwer was also hit by a malware attack that some employees speculated on chat boards was MegaCortex, but the company has not revealed details (see: Malware Knocks Out Accounting Software Giant Wolters Kluwer).
Sophos and other security researchers first took notice of MegaCortex in early January, with a significant uptick starting around May 1.
In some cases, researchers at Malwarebytes say, MegaCortex, which is written in the C++ programming language, likely spreads through a Trojan downloader such as Qbot or Emotet.
And while still relatively new compared to other ransomware, it now seems that a second version of MegaCortex is circulating, according to the iDefense analysis.
Fernandes notes in his blog post that in the original version of MegaCortex, creators protected the main payload of the ransomware by using a custom password that was only available during a live infection. While that helped hide certain aspects of the malware from researchers, it also limited the scope of the attacks, because a good deal of manual work was needed.
"The password requirement also prevented the malware from being widely distributed worldwide and required the attackers to install the ransomware mostly through a sequence of manual steps on each targeted network," Fernades says.
In the updated version of MegaCortex, Fernandes and his team note, this password protection has been removed. Instead, the password is now hard-coded within the binary of the malware itself, meaning that it can now self-execute and install the payload on its own. Additionally, the authors of this new version included a number of features to avoid detection, according to the analysis.
These features and updates can allow the creators behind the ransomware to spread it through an email phishing campaign or deliver it as a second-stage attack attached to other malware, such as a Trojan, the analysis finds.
"The changes in version 2 suggest that the malware authors traded some security for ease of use and automation," Fernandes notes. "With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation."
Over the last several months, many ransomware attacks have focused on cities and other units of government, including Lake City, Florida, and Baltimore, which suffered its second ransomware attack in two years (see: More US Cities Battered by Ransomware).
Ransomware attackers continually change tactics. For example, strains such as the GandCrab ransomware-as-service offering have been shelved by its authors, and newer variants, such as Sodinokibi, Ryuk, Dharma and Phobos, have been introduced, according to security analysts (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).
The creators of MegaCortex apparently designed the ransomware to target enterprise victims with high ransom demands, according to the iDefense analysis. From what researchers have seen during incidents in North America and Europe, where corporate networks and servers have been targeted and files encrypted, the attackers have asked for payments ranging from two to 600 bitcoins, or from $20,000 to $5.8 million, the iDefense analysis found.
"The threat actors state in their ransom note 'We are working for profit. The core of this criminal business is to give back your valuable data in the original form (for ransom of course).' So, it is clear that the actors behind MegaCortex are targeting corporations instead of home users," Fernandes notes.
Fernandes says it's not clear why the authors of MegaCortex decided to focus on enterprises while other ransomware attackers have targeted governments. The likely answer is that large companies have the resources to pay bigger ransoms.
"One could speculate that large organizations would be more willing or afford to pay for a large ransom request than a small city government would, but this is really only a possibility among others," Fernandes tells ISMG. "It is possible that attackers believe that targeting government agencies may attract more law enforcement attention than targeting corporations. These ransomware attacks are targeted to a certain extent, but also opportunistic in nature. These criminal organizations are after easy money and will most likely not care where it is coming from."