Sophos has discovered a scary new strain of very sophisticated ransomware called MegaCortex. It was purpose-built to target corporate networks, and once penetrated, the attackers infect your entire network by rolling out the ransomware to all servers and workstations, using your own Windows domain controllers.
Sophos has detected infections in the United States, Italy, Canada, France, the Netherlands, and Ireland.
This is a fairly new strain, so not all that much is known yet about how the encryption works, how they are getting in, or if ransom payments are being honoured.
How To Block Megacortex Infections
Have weapons-grade backups, off-site, not made accessible to ransomware which often targets all the backups it can see.
Make sure that your network does not make any RDP Services publicly accessible via the Internet. Put any machine that runs RDP behind a firewall and make sure it's only accessible via a VPN.
While this ransomware is not being spread via spam, it is possible that it is being installed by Trojans that are coming in through email.
That's why it is important that you train your users to identify phishing attacks and not fall for social engineering attacks, tricking them into opening malicious attachments they did not ask for.
New-school security awareness training for your whole organization is as important as ever.
MegaCortex Uses Your Own Windows Domain Controllers
It is not 100% clear yet how the bad guys are gaining access to your network, but victims have reported to Sophos that the attacks originate from a compromised domain controller. On the DC, Cobolt Strike is being dropped and executed to create a reverse shell back to an attacker's host.
Using that shell, the attackers take over your DC and configure it to distribute a copy of PsExec, the main malware executable, and a batch file to all of the computers on the network. It then executes the batch file remotely via PsExec. The batch files seen by Sophos will terminate 44 different processes, stop 199 Windows services, and disable 194 services.
Secondary Payloads Present
In addition to the MegaCortex Ransomware payload, Sophos has found what they call "secondary main components" on the computer. Hashes of some of these payloads are listed at the end of Sophos' report.
Security researcher Vitali Kremez examined some of these secondary payloads and in a conversation with BleepingComputer explained that these files are Rietspoof.
Rietspoof is a multi-stage delivery system that is used to drop multiple malware payloads on a computer. Because of that, it's not known yet if this is the malware dropping MegaCortex or if it is being installed as a secondary payload along with it.
Systems Affected / Targeted
- Windows RDP Service
- Windows Server / DC Controllers