Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

MegaCortex Ransomware Information

    • Updated:
    • 31 May 2019
    • Product/Version:
    • Apex Central 2019.All
    • Apex One 2019.All
    • Apex One as a Service All.All
    • Deep Security All.All
    • Deep Security as a Service All.All
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Worry-Free Business Security Services All.All
    • Worry-Free Business Security Standard/Advanced 10.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • N/A N/A
Summary

The MegaCortex ransomware first appeared in January 2019 with few interesting attributes, including the use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. The ransomware used both automated and manual components to infect as may victims as possible. The MegaCortex ransomware is being targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised in a previous attack using Emotet and Qakbot malware.

Capabilities

  • Information Theft
  • File Encryption
  • Disabling usage capability

Infection Routine

Megacortex routine

Once a vulnerable domain controller is compromised, the attacker configures it to drop a batch file, PsExec, and winnit.exe-which is the core malware file component to other machines. Upon execution of the batch file, this will terminate Windows processes and any other services that can halt or prevent the ransomware’s execution flow. The batch file then executes the main malware component –winnit.exe which searches for files that can be encrypted. A DLL with a random-generated filename is also extracted and ran with rundll32.exe. The said DLL is the one responsible for file encryption. It then will check whether the file is accessible for it to be encrypted and if not accessible after several attempts this will be logged on C:\oz_nqjjp.log

Target Extension:

  • .dll
  • .exe
  • .sys
  • .mui
  • .tmp
  • .lnk
  • .config
  • .manifest
  • .tib
  • .old

It avoids encrypting files found in the folder %Windows%.

Ransomnote:

note

Details
Public

Available Solution

VSAPI and TrendX

VSAPI/SMARTPatternDetection/Policy/RulesPattern branch/versionReleased date/time
TrendXTroj.Win32.TRX.XXPE50F13007
TROJ.Win32.TRX.XXPE50FLM005
N/AApril 16, 2019
VSAPIRansom.Win32.CORTEX.SM
Ransom.Win32.CORTEX.A
Ransom.Win32.CORTEX.B
Ransom.BAT.CORTEX.D
Worm.BAT.CORTEX.A
Trojan.BAT.CORTEX.A
Ransom.BAT.CORTEX.B
Ransom.BAT.CORTEX.A
Ransom.Win32.CORTEX.A.note
ENT OPR 14.989.03May 9, 2019

Behavior Monitoring

Behavioral MonitoringPatternDetection/Policy/RulesPattern branch/versionReleased date
AEGISPA5965S - checks for the dropped ransom note and .tsv file in rootdirTMTD OPR 1899May 10, 2019
AEGISRAN2922S - Multiple Forced Taskkill CommandsTMTD OPR 1899May 10, 2019

Anti-Spam and Web Protection

Email ProtectionSubjectMD5Pattern branch/versionReleased date
N/AN/AN/AN/A
URL ProtectionURLCategoryBlocking Date
N/AN/AN/A

Solution Map

ProductVersionVirus PatternBehavior MonitoringTrendX
Apex One and Apex CentralSaaS and On PremiseTurn On Real Time Scan via Apex CentralTurn On Ransomware Protection Features via Apex CentralTurn On Predictive Machine Learning via Apex Central
OfficeScanXG and aboveTurn On Real Time Scan/ Update Patterns via Web ConsoleTurn On Ransomware Protection Features /Update Pattern via Web consoleTurn On Predictive Machine Learning via Web Console
11 SP1Turn On Real Time Scan/ Update Patterns via Web ConsoleTurn On Ransomware Protection Feature/Update Pattern via Web console 
Deep Security11Enable Anti-Malware Policies and Turn on Real Time Scan in Deep Security ManagerConfigure Anti Malware Policies and Enable Ransomware Protection Modules in Deep Security ManagerEnable Predictive Machine Learning in Deep Security Manager
10Enable Anti-Malware Policies and Turn on Real Time Scan in Deep Security ManagerConfigure Anti Malware Policies and Enable Ransomware Protection Modules in Deep Security Manager 
Worry-Free Business SecurityServices (SaaS)Turn On Real Time Scan via Web ConsoleTurn On Ransomware Protection Features via Web consoleTurn On Predictive Machine Learning via Web Console
10 and AboveTurn On Real Time Scan/ Update Patterns via Web ConsoleTurn On Ransomware Protection Features /Update Pattern via Web consoleTurn On Predictive Machine Learning via Web Console

Recommendations

Threat Report

Threat Report: Ransom.Win32.CORTEX.A

Blog

MegaCortex Ransomware Spotted Attacking Enterprise Networks

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Remove a Malware / Virus; Migrate
Solution Id:
1122802
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.