The MegaCortex ransomware first appeared in January 2019 with few interesting attributes, including the use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. The ransomware used both automated and manual components to infect as may victims as possible. The MegaCortex ransomware is being targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised in a previous attack using Emotet and Qakbot malware.
Capabilities
- Information Theft
- File Encryption
- Disabling usage capability
Infection Routine
Once a vulnerable domain controller is compromised, the attacker configures it to drop a batch file, PsExec, and winnit.exe-which is the core malware file component to other machines. Upon execution of the batch file, this will terminate Windows processes and any other services that can halt or prevent the ransomware’s execution flow. The batch file then executes the main malware component –winnit.exe which searches for files that can be encrypted. A DLL with a random-generated filename is also extracted and ran with rundll32.exe. The said DLL is the one responsible for file encryption. It then will check whether the file is accessible for it to be encrypted and if not accessible after several attempts this will be logged on C:\oz_nqjjp.log
Target Extension:
- .dll
- .exe
- .sys
- .mui
- .tmp
- .lnk
- .config
- .manifest
- .tib
- .old
It avoids encrypting files found in the folder %Windows%.
Ransomnote:
Available Solution
VSAPI and TrendX
VSAPI/SMART | Pattern | Detection/Policy/Rules | Pattern branch/version | Released date/time |
TrendX | Troj.Win32.TRX.XXPE50F13007 TROJ.Win32.TRX.XXPE50FLM005 | N/A | April 16, 2019 | |
VSAPI | Ransom.Win32.CORTEX.SM Ransom.Win32.CORTEX.A Ransom.Win32.CORTEX.B Ransom.BAT.CORTEX.D Worm.BAT.CORTEX.A Trojan.BAT.CORTEX.A Ransom.BAT.CORTEX.B Ransom.BAT.CORTEX.A Ransom.Win32.CORTEX.A.note | ENT OPR 14.989.03 | May 9, 2019 |
Behavior Monitoring
Behavioral Monitoring | Pattern | Detection/Policy/Rules | Pattern branch/version | Released date |
AEGIS | PA5965S - checks for the dropped ransom note and .tsv file in rootdir | TMTD OPR 1899 | May 10, 2019 | |
AEGIS | RAN2922S - Multiple Forced Taskkill Commands | TMTD OPR 1899 | May 10, 2019 |
Anti-Spam and Web Protection
Email Protection | Subject | MD5 | Pattern branch/version | Released date |
N/A | N/A | N/A | N/A |
URL Protection | URL | Category | Blocking Date |
N/A | N/A | N/A |
Solution Map
Product | Version | Virus Pattern | Behavior Monitoring | TrendX |
---|---|---|---|---|
Apex One and Apex Central | SaaS and On Premise | Turn On Real Time Scan via Apex Central | Turn On Ransomware Protection Features via Apex Central | Turn On Predictive Machine Learning via Apex Central |
OfficeScan | XG and above | Turn On Real Time Scan/ Update Patterns via Web Console | Turn On Ransomware Protection Features /Update Pattern via Web console | Turn On Predictive Machine Learning via Web Console |
11 SP1 | Turn On Real Time Scan/ Update Patterns via Web Console | Turn On Ransomware Protection Feature/Update Pattern via Web console | ||
Deep Security | 11 | Enable Anti-Malware Policies and Turn on Real Time Scan in Deep Security Manager | Configure Anti Malware Policies and Enable Ransomware Protection Modules in Deep Security Manager | Enable Predictive Machine Learning in Deep Security Manager |
10 | Enable Anti-Malware Policies and Turn on Real Time Scan in Deep Security Manager | Configure Anti Malware Policies and Enable Ransomware Protection Modules in Deep Security Manager | ||
Worry-Free Business Security | Services (SaaS) | Turn On Real Time Scan via Web Console | Turn On Ransomware Protection Features via Web console | Turn On Predictive Machine Learning via Web Console |
10 and Above | Turn On Real Time Scan/ Update Patterns via Web Console | Turn On Ransomware Protection Features /Update Pattern via Web console | Turn On Predictive Machine Learning via Web Console |
Recommendations
- Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products
- Submitting suspicious or undetected virus for file analysis to Technical Support
Threat Report
Threat Report: Ransom.Win32.CORTEX.A