MegaCortex variant redesigned a self-executing, incorporates features of previous version


A new variant of MegaCortex ransomware making its way across the U.S. and Europe has been recast as a self-executing menace that doesn’t require a password and is aimed at enterprises, according to a technical analysis released by researchers at Accenture iDefense.

“The disadvantage of the first version was that actors had to run the ransomware manually or risk of leaking the password. This prevented global distribution of the ransomware,” Accenture said. “The MegaCortex Version 2 author has updated the ransomware to remove these disadvantages and redesigned the ransomware to self-execute.”

“It seems this threat actor has done its homework regarding which business model works best,” said Mounir Hahad, who heads Juniper Networks Threat Labs. “It has learned from the infamous SamSam group that also delivers ransomware manually after infiltrating an organization.”

As a result attackers can “precision-deliver highly potent malware while keeping it somewhat difficult to obtain by security researchers,” he said.

The new version of MegaCortex integrates the first iteration’s script features. It also “decrypts the main payload and executes in memory; detects and terminates security tools; [and] detects and stops various types of software such as backup software, database software and Web server software so there is no update to files related to that software,” the analysis showed, as well as “hardcodes the password into the ransomware to allow the ransomware to decrypt the main payload automatically; and integrates the loader, main module and worker into a single executable.”

Ransomware incidents have ramifications beyond a particular targeted company, “affecting the entire ecosystem,” including business partners, suppliers and vendors, Matan Or-El, co-founder and CEO of Panorays, stressed. “This ransomware interrupts corporate operations and causes a Denial-of-Service to the supply chain.”

On the plus side, the MegaCortex variant “is fairly easy to detect, should the threat actor decide to use it more widely or put it up on a ransomware-as-a-service offering,” said Hahad.

Noting “a variety of actions” companies have at their disposal to mitigate supply chain risks,” Matan recommends they “evaluate the cyber posture of their third parties and demand that they adhere to a certain security standard.”

They should also have a set policy for securely dealing with third parties, like severing those “connections with a high-risk vendor” that don’t meet a set security threshold or requiring a password change for those vendors that represent a medium risk.  Finally, organizations “should continuously monitor the security posture of their third parties, receive notification of any change in their security and act according to the policy they put in place,” said Matan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.