Ransomware Used in Multimillion-Dollar Attacks Gets More Automated

The authors of MegaCortex appear to have traded security for convenience and speed, say researchers at Accenture iDefense.

4 Min Read
Dark Reading logo in a gray background | Dark Reading

The authors of MegaCortex, a ransomware tool that was used recently in costly attacks against organizations in North America and Europe, have tweaked the malware to make it even more dangerous.

Researchers from Accenture iDefense this week said they have spotted a new version of the ransomware with features that make it harder to detect and easier for attackers to deploy on compromised networks.

Like the first version of MegaCortex that surfaced earlier this year, the new one is designed for use in manual, post-exploitation, targeted attacks. However, the authors have made some changes to the malware that suggest they have traded security for automation and ease of use, according to a report from Accenture iDefense.

For instance, the original MegaCortex malware required a password in order to decrypt and load the final payload. Attackers needed to install the ransomware on a compromised network via a series of manual steps and use a custom password that would become available only during a live infection.

This made it very hard for security researchers to analyze and reverse engineer the malware. "The password was heavily encoded and encrypted. Thus, brute-forcing the password to run the malware was not a feasible approach," says Leo Fernandes, senior manager of the Accenture iDefense Malware Analysis and Countermeasures (MAC) team.

At the same time, the password requirement also limited the ability for attackers to deploy MegaCortex widely, Fernandes says. With the second version, the malware authors have removed the need for a password for installation and have instead hard-coded a password in the binary. "The new version executes directly with one single command. No additional password or interaction is necessary," he says.

Additionally, the malware authors have incorporated a range of anti-analysis features within the main malware module itself. Some examples of these features include crypters, packers, and other obfuscation capabilities; use of anti-disassembly and debugging features; sandbox and virtual machine detection capabilities; and system-specific requirements for loading the malware, Fernandes says.

With the first version, attackers had to manually execute such capabilities as batch script files on each host. "The lack of a password requirement for installation and the embedded functionality to kill/stop security software and services can allow attackers to deploy the malware faster through automation once access to a network has been established," Fernandes says.

Security researchers first spotted MegaCortex earlier this year targeting enterprise organizations in the US, Canada, and Europe. During one stretch in May, researchers at Sophos counted 47 targeted attack attempts to install MegaCortex in a 48-hour period. Organizations that have been hit by the malware have faced ransom demands ranging from a relatively modest $20,000 to a stunning $5.8 million.

The changes in the new version do not make MegaCortex any easier or harder to detect because the attack still happens only after a network has already been compromised via other means, Fernandes. Even so, the hard-coded passwords allow those doing the reverse engineering to retrieve the final DLL file from memory for further analysis, which was not readily feasible before, he says. "However, deeper analysis still takes lots of experience and time," Fernandes says.

Targeted Attacks
For enterprise organizations, MegaCortex is another reminder — if one were needed — of the major threat that ransomware continues to pose. The steady declines in ransomware attack volumes that several security vendors have reported in recent months have all been on the consumer side.

Attacks on private, public, city, and local government organizations of all sizes have only increased over the past year. In many instances, attackers have first gained access to targeted networks, conducted reconnaissance and identified high-value systems before installing ransomware on them to maximize disruption.

Many security researchers fear that recent reports of multiple city governments and other organizations making substantial payments to attackers to get their data back after a ransomware attack are likely only going to fuel more attacks.

Ransomware like MegaCortex continues to pose a high threat to enterprises and government organizations worldwide, Fernandes says. "The criminal organization behind MegaCortex appears to be experienced professionals capable of targeting and infiltrating corporate networks, cause havoc, and huge financial losses," he warns.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Read more about:

Black Hat News

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights