New ransomware called “MegaCortex” has been found and it seems to be targeting corporate networks. Once a network is hacked, attackers infect the entire network with MegaCortex by using Windows domain controllers. This ransomware is so new researchers are unclear as to exactly how the attackers are gaining access to a company’s network, but it appears that remote desktop services may be used. Once an attacker has access to the victim’s system, the attacker accesses the domain controller and drops the initial payload which then expands and disables several anti-malware services in Windows software. The ransomware then encrypts the network’s files and displays a ransom note titled, “!!!_READ_ME!!!” that explains what happened and what it takes to decrypt the user’s files. The note goes on to say if the ransom is paid then they guarantee that the user’s company will never again be inconvenienced by them and that if the decryption software is purchased, then the attacker will offer consultation on improving the company’s cybersecurity.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased