Threat Watch

MegaCortex Ransomware

New ransomware called “MegaCortex” has been found and it seems to be targeting corporate networks. Once a network is hacked, attackers infect the entire network with MegaCortex by using Windows domain controllers. This ransomware is so new researchers are unclear as to exactly how the attackers are gaining access to a company’s network, but it appears that remote desktop services may be used. Once an attacker has access to the victim’s system, the attacker accesses the domain controller and drops the initial payload which then expands and disables several anti-malware services in Windows software. The ransomware then encrypts the network’s files and displays a ransom note titled, “!!!_READ_ME!!!” that explains what happened and what it takes to decrypt the user’s files. The note goes on to say if the ransom is paid then they guarantee that the user’s company will never again be inconvenienced by them and that if the decryption software is purchased, then the attacker will offer consultation on improving the company’s cybersecurity.

ANALYST NOTES

Ransomware is only effective if the user has no way of recovering data. Users should routinely back up their data on external storage systems. All employees should be educated on methods of recognizing and identifying malicious spam, and not to open suspicious attachments without first confirming who sent it. Lastly, companies should ensure that remote desktop services are placed behind a firewall and only accessible through a VPN.