Sophos is reporting a sudden spike in a ransomware strain that it disclosed back in March of this year. Dubbed “MegaCortex”, the ransomware appears to be injected through the Emotet and Qbot (aka Qakbot) malware. Both of these malware families have the ability to serve as a delivery mechanism for other malware. Victims who have been struck report that the source is compromised Windows Active Directory Domain Controllers (DCs). The attacker injects a payload using a Microsoft PowerShell script that allows them full control over the DC. The attacker then instructs the DC to push the MegaCortex malware (a copy of PsExec renamed rstwg.exe, the main malware executable, and a batch file — to the rest of the computers on the network that it can reach, and then runs the batch file remotely via PsExec) to other machines inside the victim’s network using Windows Management Instrumentation (WMI). The attack seems to indicate that an administrative password was reused by the attackers to gain access to the DCs in the first place.
A fully detailed analysis of MegaCortex can be read at https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/.
We highly recommend that if you are a system administrator or security professional that you read the Sophos article about this new ransomware so that you can take actions to protect yourself. If you are, or have ever been infected with Emotet and/or Qbot, we highly recommend that you ensure that your environment, particularly your Active Directory DC’s are cleaned of these malware families. Intrusion Prevention systems should also be actively blocking these malware families.
Because the attackers seem to have reused compromised administrative credentials to gain access into the victim’s DC’s, we strongly recommend that RDP is disabled from being access across the Internet and that two-factor authentication is implemented to at least protect administrative level accounts.
As with all ransomware, it’s important to have consistent, tested backups of data to recover files encrypted by the ransomware. Organizations cannot guarantee that their files will be decrypted if they pay the ransom or that the malware will be removed from their environments.
If you are an Assura security monitoring customer, our Security Operations Center is already monitoring for MegaCortex. If you are an Assura Managed Endpoint Security customer, our endpoint security service is already blocking MegaCortex. If you have any additional questions about MegaCortex, ransomware in general, or any other cyber security related questions, please do not hesitate to contact your Assura Virtual ISO™ or contact us at email@example.com.