MegaCortex is a relatively new ransomware family that continues the 2019 trend of threat actors developing ransomware specifically for targeted attacks on enterprises.
First Week of June 2019, analysis of the MegaCortex Ransomware when a sample was found by MalwareHunter Team. Along with this sample, through came a wave of attacks that affected many organizations.
How does MegaCortex Ransomware Work
The attackers were gaining access to a network and then compromising the Windows domain controller.
Once the domain controller was compromised the attackers would install Cobalt Strike in order to open a reverse shell back to the attackers.
After gaining access to the domain controller, the attackers configured it to distribute a batch file, a renamed PsExec, and winnit.exe, which is one of the main executables of the malware, to the rest of the computers on the network.
When launching the winnit.exe executable, a particular base64 encoded string would need to be provided in order for the ransomware to extract and inject a DLL into memory.
After this step, they run the batch file remotely. This file will terminate Windows processes as well as stop and disable services that will interfere with the ransomware’s routines.
The said DLL is the one responsible for file encryption. It then will check whether the file is accessible for it to be encrypted and if not accessible after several attempts this will be logged on C:\oz_nqjjp.log
Once the ransomware process is activated, it creates these files:
- ********.log
- ********.tsv
- ********.dll
The ******** are eight random characters that are identical for the three files on the affected system. These names are also mentioned in the ransom note called !!!_READ_ME_!!!.txt.
The ransom note, the log file, and the tsv file are all located in the root drive. The dll, on the other hand, can be found in the %temp% folder.
The encrypted files are given the extension.aes128ctr. The encryption routine skips files with the extensions:
- .aes128ctr
- .bat
- .cmd
- .config
- .dll
- .exe
- .lnk
- .manifext
- .mui
- .olb
- .ps1
- .sys
- .tlb
- .tmp
The routine also skips the files:
- desktop.ini
- ********.tsv
- ********.log
It also skips all the files and subfolders under %windir%, with the exception of %windir%\temp. In addition, MegaCortex deletes all the shadow copies on the affected system.
After the encryption routine is complete, MegaCortex displays this rather theatrical ransom note, high on drama and low on grammatical correctness.
As the ransomware encrypts a file it will append the .megac0rtx extension to the encrypted file’s name. For example, test.jpg will be encrypted and renamed to test.jpg.megac0rtx.
Each file that is encrypted, will also include the MEGA-G8=.
As it’s encrypting, the ransomware will also create a log file at C:\x5gj5_gmG8.log that will contain a list of files that could not be encrypted by the ransomware.
When done encrypting files the ransomware will create a ransom note named !!!_READ-ME_!!!.txtand save it on the victim’s desktop. This ransom note contains emails that the victim can use to contact the attackers to find out payment instructions. The note states that ransom amounts range anywhere from 2-3 bitcoins to 600 BTC.
During its execution, the ransomware will also delete Shadow Volume Copies using the vssadmin delete shadows /all /for=C:\ command.
In addition, Kremez told BleepingComputer that there are references to the Windows Cipher /W: command, which is used to overwrite deleted data so that it cannot be recovered using file recovery software.
Recommended protection for MegaCortex
They’re still trying to develop a clearer picture of the infection process, but for now, it appears that there’s a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims’ networks with both Emotet and Qbot. If you are seeing alerts about Emotet or Qbot infections, those should take a high priority. Both of those bots can be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start.
