MegaCortex variant redesigned a self-executing, incorporates features of previous version
A new variant of MegaCortex ransomware making
its way across the U.S. and Europe has been recast as a self-executing menace
that doesn’t require a password and is aimed at enterprises, according to a technical
analysis released by researchers at Accenture iDefense.
“The disadvantage of the first version was that actors had
to run the ransomware manually or risk of leaking the password. This prevented
global distribution of the ransomware,” Accenture said. “The MegaCortex Version
2 author has updated the ransomware to remove these disadvantages and
redesigned the ransomware to self-execute.”
“It seems this threat
actor has done its homework regarding which business model works best,” said Mounie
Hahad, who heads Juniper Networks Threat Labs. “It has learned from the
infamous SamSam group that also delivers ransomware manually after infiltrating
an organization.”
As a result attackers can
“precision-deliver highly potent malware while keeping it somewhat difficult to
obtain by security researchers,” he said.
The new version of MegaCortex integrates the first iteration’s
script features. It also “decrypts the main payload and executes in memory;
detects and terminates security tools; [and] detects and stops various types of
software such as backup software, database software and Web server software so
there is no update to files related to that software,” the analysis showed, as
well as “hardcodes the password into the ransomware to allow the ransomware to
decrypt the main payload automatically; and integrates the loader, main module
and worker into a single executable.”
Ransomware incidents have ramifications beyond a particular targeted
company, “affecting the entire ecosystem,” including business partners,
suppliers and vendors, Matan Or-El, co-founder
and CEO of Panorays, stressed. “This ransomware interrupts corporate operations
and causes a Denial-of-Service to the supply chain.”
On the plus side, the MegaCortex variant “is fairly easy to detect, should the threat actor decide to use it more widely or put it up on a ransomware-as-a-service offering,” said Hahad.
Noting “a variety of actions” companies have at
their disposal to mitigate supply chain risks,” Matan recommends they “evaluate
the cyber posture of their third parties and demand that they adhere to a
certain security standard.”
They should also have a set policy for securely
dealing with third parties, like severing those “connections with a high-risk
vendor” that don’t meet a set security threshold or requiring a password change
for those vendors that represent a medium risk. Finally, organizations “should continuously
monitor the security posture of their third parties, receive notification of
any change in their security and act according to the policy they put in place,”
said Matan.
Gloss