Workload and Application Security Blog

MegaCortex Malware Strikes, Does Damage Both as Ransomware and Disk Wiper

Written by Virsec Systems | Sep 8, 2019 4:03:33 AM

Different research groups have been studying a new and worsening ransomware, MegaCortex, that’s hitting corporate networks and workstations. After gaining entry, the hackers invade the whole network, infecting it with ransomware via Windows domain controllers.

MegaCortex Ransomware Possibly Combined with Trojans

In a recent report, Sophos Research relayed that they’ve seen MegaCortex strikes in the US, Canada and Europe - France, the Netherlands, Italy and Ireland. Much is still not yet known as to exactly how the attackers are gaining entry or what encryption algorithms they are using.

One theory is that attackers are involving Trojan operators to gain access. An important observation is that networks where MegaCortex has been present, Emotet or Qakbot Trojans have also been present.

Emotet Trojans strike banks, using malware to download other banking Trojans that inject code and steal financial information from Microsoft computers. Qakbot (QBot) Trojans worm their way through networks and drives, grabbing files as they go. They aren’t detectable by anti-virus programs and it’s possible these Trojans are aiding and abetting the MegaCortex operation. Those targeted by the ransomware told Sophos researchers that their attacks came via a compromised domain controller.

No reports yet on whether any victims of MegaCortex who paid ransom got their data back.

MegaCortex Also Includes Disk Wiping Function

Another group, IBM Security’s X-Force Incident Response Services (IRIS), has also been investigating ransomware attacks. They’ve observed characteristics about these attacks, including a disk wiper function. The X-Force IRIS group is seeing combined activity in the attacks that includes both malicious encryption (with ransom demands) and disk wiper actions against the victims, making the situation even worse for them. If victims don’t pay the ransom, they not only lose their data, they could lose their entire operating system, giving them an even bigger mess to resolve.

MegaCortex performs in this particularly villainous way, and another malware – LockerGoga – is similar. LockerGoga had a new strain come out where the hackers disable the computer’s network adapter. They then log the computer off the network after they’ve changed the user’s admin passwords so that it’s impossible for the admins to get back into their systems. This leaves victims with problems on top of problems.

Malware Increasing in Quantity and Severity

IRIS reports a 200 percent rise in damaging malware attacks in the first half of 2019 compared to the last half of 2018. The cost of these ransomware attacks takes a toll on its victims. IRIS calculated that when companies are being hit globally, it’s costing them $239 million on average along with over 500 hours of recovery and response time. They’ve also learned that just one attack on average ruins about 12,000 machines.

Some Ransomware Targets Specific Industries

Some strains of these ransomware/malware attacks appear to be used to go after particular industries. This occurred with several attacks against chemical and manufacturing companies, including Norsk Hydro and Aebi Schmidt, (See our blog, Huge manufacturing company Aebi Schmidt struck by ransomware). These companies suffered attacks on their IT and OT systems, jeopardizing more than just files for these companies. Threats they faced were harmful to property, equipment, and human life.

X-Force IRIS has seen energy and manufacturing companies be victimized by attackers. In one case, a small company of 20,000 users was attacked and the hackers, after breaking into their network, spent four (4) months of dwell time in the network before releasing the malware. They spent that time spying, scoping the system, and plotting the steps of their attack.

What Can Companies Do to Keep Hackers & Ransomware Out?

Ransomware is the fastest-growing malware threat happening today. Reports this year have shown companies haven’t done nearly enough to protect themselves, and some of the steps toward better protection are relatively simple – simpler for sure than dealing with a massive data breach.

A layered approach to defense serves companies best. One example of such a layer is incorporating multifactor authentication for verifying proper users. Many recent devastating breaches could have been avoided had strong authentication been in place. Some new technologies, such as from Virsec, can provide protection to your system without requiring system overalls or placing burdens on staff.

Virsec Can Protect Your Applications from a Ransomware Attack

Virsec delivers the most advanced application protection without friction or tuning, ensuring defense against attacks that bypass traditional security solutions. The Virsec Security Platform secures the entire application stack from memory to the web as attacks, including ransomware attacks, happen, identifying OWASP Top 10, advanced targeted attacks, injection attacks, and unknown threats. It automatically blocks sophisticated memory-based attacks, zero-day threats, stealthy fileless malware including ransomware, and more with unprecedented accuracy and minimal impact on applications.

Unlike signature-based solutions, Virsec requires no prior insight into attack patterns or methods. Security is provisioned once, at the code and memory level, so no matter what method or entry point an attacker uses, applications run only intended application functions.

Virsec helps organizations reduce costs and minimize risk on high-valued applications and infrastructure control systems by ensuring an effective defense against increasingly advanced application attacks today and tomorrow.

Watch Virsec Ransomware Demo

If you have not already, upgrade your security infrastructure to guardrail your applications and counter any thought of a ransom attack. Watch our demo of a multi-step ransomware attack in action using advanced hacking tools. See how Virsec security platform can instantly spot this attack at every stage and stop it. If you are not already partnering with Virsec, it may be time to consider doing so – before you face a ransomware demand like MegaCortex or if you are recovering from an attack.