A new variant of the MegaCortex Ransomware has been found that not only encrypts a victim’s files but now changes the logged-in user’s password and threatens to publish the victim’s files if the ransom is not paid. For those unfamiliar with MegaCortex, it is targeted ransomware that is installed through network access provided by trojans such as Emotet. Once the MegaCortex actors gain access, they then push the ransomware out to machines on the network via an active directory controller or post-exploitation kits.
As with any ransomware attack, secure and up-to-date backups of the systems files are the primary tool to replace any infected files. The latest variant of MegaCortex that threatens to publish files may be an attempt by the attackers to pressure people who have backups to pay the ransom in order to avoid embarrassment if sensitive files or emails are published. However, there is no guarantee that the attackers will honor any deal to not publish files, and the fact that a victim is willing to pay the ransom may even draw attention to that victim’s files more so than if the extortion attempt is ignored. Binary Defense analysts have observed a password-stealing feature in several ransomware variants and assess with high confidence that theft and resale of passwords is a goal of many threat actors. It is wise to change all passwords to all online services after any compromise, including ransomware. Using password manager software is a good way to keep unique passwords for each account. A managed endpoint detection and response service, such as Binary Defense, is an important part of defense-in-depth against ransomware. Endpoint monitoring solutions are in the perfect position to detect ransomware or attacker behaviors early in an intrusion and isolate the infected computer from the rest of the network to prevent the spread of damage.