The MegaCortex ransomware first appeared in January 2019 with few interesting attributes, including the use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. The ransomware used both automated and manual components to infect as may victims as possible. The MegaCortex ransomware is being targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised in a previous attack using Emotet and Qakbot malware.

Capabilities

• Information Theft
• File Encryption
• Disabling usage capability

Infection Routine

Once a vulnerable domain controller is compromised, the attacker configures it to drop a batch file, PsExec, and winnit.exe-which is the core malware file component to other machines. Upon execution of the batch file, this will terminate Windows processes and any other services that can halt or prevent the ransomware’s execution flow. The batch file then executes the main malware component –winnit.exe which searches for files that can be encrypted. A DLL with a random-generated filename is also extracted and ran with rundll32.exe. The said DLL is the one responsible for file encryption. It then will check whether the file is accessible for it to be encrypted and if not accessible after several attempts this will be logged on C:\oz_nqjjp.log

Target Extension:

• .dll
• .exe
• .sys
• .mui
• .tmp
• .lnk
• .config
• .manifest
• .tib
• .old

It avoids encrypting files found in the folder %Windows%.

Ransomnote: