{"id":15553,"date":"2019-06-12T09:10:02","date_gmt":"2019-06-12T17:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/06\/12\/news-9302\/"},"modified":"2019-06-12T09:10:02","modified_gmt":"2019-06-12T17:10:02","slug":"news-9302","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/06\/12\/news-9302\/","title":{"rendered":"MegaCortex continues trend of targeted ransomware attacks"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 12 Jun 2019 16:03:25 +0000<\/strong><\/p>\n<p>MegaCortex is a relatively new ransomware family that continues the 2019 trend of threat actors developing ransomware specifically for targeted attacks on enterprises. While GandCrab apparently shut its doors, several other bespoke, artisanal ransomware families have taken its place, including <a href=\"https:\/\/blog.malwarebytes.com\/ransomware\/2019\/05\/ransomware-isnt-just-a-big-city-problem\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"RobinHood (opens in a new tab)\">RobinHood<\/a>, which shut down the city of Baltimore, <a rel=\"noreferrer noopener\" aria-label=\"Troldesh (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/03\/spotlight-troldesh-ransomware-aka-shade\/\" target=\"_blank\">Troldesh<\/a>, and <a rel=\"noreferrer noopener\" aria-label=\"CrySIS\/Dharma (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/\" target=\"_blank\">CrySIS\/Dharma<\/a>.<\/p>\n<p>Detected by Malwarebytes as Ransom.MegaCortex, MegaCortex saw a spike in business detections in late May and has since slowed down to a trickle, following a similar trend as its Troldesh and CrySIS forebearers.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"38938\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/attachment\/ransommegacortexblock-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/ransommegacortexblock-1.png\" data-orig-size=\"472,240\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ransommegacortexblock\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/ransommegacortexblock-1-300x153.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/ransommegacortexblock-1.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/ransommegacortexblock-1.png\" alt=\"malwarebytes blocks Megacortex\" class=\"wp-image-38938\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/ransommegacortexblock-1.png 472w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/ransommegacortexblock-1-300x153.png 300w\" sizes=\"(max-width: 472px) 100vw, 472px\" \/><\/figure>\n<p>Our anti-ransomware technology detected Ransom.MegaCortex even before defintions were added.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"38939\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/attachment\/protection3-7\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/protection3-2.png\" data-orig-size=\"355,272\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"protection3\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/protection3-2-300x230.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/protection3-2.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/protection3-2.png\" alt=\"generic detection megacortex\" class=\"wp-image-38939\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/protection3-2.png 355w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/protection3-2-300x230.png 300w\" sizes=\"(max-width: 355px) 100vw, 355px\" \/><\/figure>\n<h3>Distribution<\/h3>\n<p>The methods of distribution for MegaCortex are still not completely clear, but there are indications that the ransomware is dropped on compromised computers by using Trojan downloaders. Once a corporate network has been compromised, the attackers try to gain access to a domain controller and spread across the entire network from there.<\/p>\n<p>Suspected Trojans that might be responsible for the distribution of MegaCortex are <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/detections\/worm-qakbot\/\" target=\"_blank\">Qakbot aka Qbot<\/a>, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/detections\/trojan-emotet\/\" target=\"_blank\">Emotet<\/a>, and <a href=\"https:\/\/blog.malwarebytes.com\/detections\/backdoor-rietspoof\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Rietspoof<\/a>. Rietspoof is a multi-stage malware that spreads through instant messaging programs.<\/p>\n<h3>Execution<\/h3>\n<p>Before the actual ransomware process starts, several tools and scripts are deployed to disable certain security processes and attempt to gain access to the domain controller so the ransomware can be distributed across the network.<\/p>\n<p>Once the ransomware process is activated, it creates these files:<\/p>\n<ul>\n<li>********.log<\/li>\n<li>********.tsv<\/li>\n<li>********.dll<\/li>\n<\/ul>\n<p>The ******** are eight random characters that are identical for the three files on the affected system. These names are also mentioned in the ransom note called !!!_READ_ME_!!!.txt.<\/p>\n<p>The ransom note, the log file, and the tsv file are all located in the root drive. The dll, on the other hand, can be found in the <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/01\/explained-environmental-variables\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">%temp%&nbsp; folder<\/a>.<\/p>\n<p>The encrypted files are given the extension .aes128ctr. The encryption routine skips files with the extensions:<\/p>\n<ul>\n<li>.aes128ctr<\/li>\n<li>.bat<\/li>\n<li>.cmd<\/li>\n<li>.config<\/li>\n<li>.dll<\/li>\n<li>.exe<\/li>\n<li>.lnk<\/li>\n<li>.manifext<\/li>\n<li>.mui<\/li>\n<li>.olb<\/li>\n<li>.ps1<\/li>\n<li>.sys<\/li>\n<li>.tlb<\/li>\n<li>.tmp<\/li>\n<\/ul>\n<p>The routine also skips the files: <\/p>\n<ul>\n<li>desktop.ini<\/li>\n<li>********.tsv<\/li>\n<li>********.log<\/li>\n<\/ul>\n<p>It also skips all the files and subfolders under %windir%, with the exception of %windir%temp. In addition, MegaCortex deletes all the shadow copies on the affected system.<\/p>\n<p>After the encryption routine is complete, MegaCortex displays this rather theatrical ransom note, high on drama and low on grammatical correctness.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"38940\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/attachment\/megacortex-ransom-note-3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/megacortex-ransom-note-2.png\" data-orig-size=\"1610,932\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"megacortex-ransom-note\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/megacortex-ransom-note-2-300x174.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/megacortex-ransom-note-2-600x347.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/megacortex-ransom-note-2-600x347.png\" alt=\"megacortex ransom note\" class=\"wp-image-38940\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/megacortex-ransom-note-2-600x347.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/megacortex-ransom-note-2-300x174.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<h3>Remarkable ransom note quotes<\/h3>\n<p>Some notable quotes from the ransom note:<\/p>\n<ul>\n<li>\u201cAll of your computers have been corrupted with MegaCortex malware that has encrypted your files.\u201d So the name MegaCortex comes from the threat actors themselves, as opposed to the security researchers who discovered it. (That is one way to help the industry to use a unified detection name.)<\/li>\n<li>\u201cIt is critical that you don\u2019t restart or shutdown your computer.\u201d This implies that one of the <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/03\/encryption-101-how-to-break-encryption\/\" target=\"_blank\">seeds for the encryption routine<\/a> will be made irretrievable if the computer gets rebooted. <\/li>\n<li>\u201cThe software price will include a guarantee that your company will never be inconvenienced by us.\u201d Is this a tell-tale sign about how much granular control the threat actors have over the malware attacks, or just another empty promise made by criminals?<\/li>\n<li>&#8220;We can only show you the door. You&#8217;re the one who has to walk through it.&#8221; A reference to <em>The Matrix<\/em> or a failed fiction writer?<\/li>\n<\/ul>\n<p>The ransom note also makes clear that the information necessary for the decryption routine is contained in the randomly named tsv file. So, if all the information except the private key is on the infected computer, does that mean there will be a free decryptor soon? That depends on many other factors, but if the cybercriminals used the same private key for each infection, there could be a possible escape on the horizon.<\/p>\n<p>Undoubtedly it will take some reverse engineering to get definitive answers to these questions, but it certainly gives us some clues. <\/p>\n<h3>Countermeasures<\/h3>\n<p>Given that the exact infection vector is as of yet unknown, it is hard to give specific protection advice for this ransomware family. But there are some countermeasures that always apply to ransomware attacks, and they might be useful to repeat here:<\/p>\n<ul>\n<li><strong>Scan emails with attachments.<\/strong> Suspicious mails with attachments should not reach the end user without being checked first.<\/li>\n<li><strong>User education.<\/strong> Users should be taught to refrain from downloading attachments sent to them via mail or instant messaging without close scrutinization.<\/li>\n<li><strong>Blacklisting.<\/strong> Most endpoints do not need to be able to run scripts. In those cases, you can blacklist wscript.exe and maybe other scripting options like Powershell.<\/li>\n<li><strong>Update software and systems.&nbsp;<\/strong>Updating your systems  and your software can plug up vulnerabilities and keep known exploits at bay.<\/li>\n<li><strong>Back up files.&nbsp;<\/strong>Reliable and easy-to-deploy backups can shorten the recovery time.<\/li>\n<\/ul>\n<p>We are far from knowing everything there is to know about this ransomware, but as we discover new information, we will keep our blog readers updated. In the meantime, it is imperative for enterprises to employ best practices for <a rel=\"noreferrer noopener\" aria-label=\"protecting against all ransomware (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2016\/04\/how-to-protect-your-business-from-ransomware\/\" target=\"_blank\">protecting against all ransomware<\/a>. <\/p>\n<p>After all, we can only show you the door. You&#8217;re the one who has to walk through it.<\/p>\n<p>Stay safe, everyone!<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/\">MegaCortex continues trend of targeted ransomware attacks<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 12 Jun 2019 16:03:25 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/' title='MegaCortex continues trend of targeted ransomware attacks'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/rendered-1.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In this threat spotlight, we feature MegaCortex, another custom ransomware designed for targeted attacks on enterprises. Will this Matrix-inspired malware strike again?<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-spotlight\/\" rel=\"category tag\">Threat spotlight<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/aes128ctr\/\" rel=\"tag\">aes128ctr<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/business-security\/\" rel=\"tag\">business security<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/megacortex\/\" rel=\"tag\">megacortex<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransom\/\" rel=\"tag\">ransom<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransom-megacortex\/\" rel=\"tag\">ransom.megacortex<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware-attack\/\" rel=\"tag\">ransomware attack<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/targeted-ransomware\/\" rel=\"tag\">targeted ransomware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/' title='MegaCortex continues trend of targeted ransomware attacks'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/06\/megacortex-continues-trend-of-targeted-ransomware-attacks\/\">MegaCortex continues trend of targeted ransomware attacks<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[22020,11141,21737,18276,22021,3765,20486,22022,21161],"class_list":["post-15553","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-aes128ctr","tag-business-security","tag-megacortex","tag-ransom","tag-ransom-megacortex","tag-ransomware","tag-ransomware-attack","tag-targeted-ransomware","tag-threat-spotlight"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15553"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15553\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15553"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}