MegaCortex Ransomware Information

Summary

The MegaCortex ransomware first appeared in January 2019 with few interesting attributes, including the use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. The ransomware used both automated and manual components to infect as may victims as possible. The MegaCortex ransomware is being targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised in a previous attack using Emotet and Qakbot malware.

Capabilities

Information Theft
File Encryption
Disabling usage capability

Infection Routine

Once a vulnerable domain controller is compromised, the attacker configures it to drop a batch file, PsExec, and winnit.exe-which is the core malware file component to other machines. Upon execution of the batch file, this will terminate Windows processes and any other services that can halt or prevent the ransomware’s execution flow. The batch file then executes the main malware component –winnit.exe which searches for files that can be encrypted. A DLL with a random-generated filename is also extracted and ran with rundll32.exe. The said DLL is the one responsible for file encryption. It then will check whether the file is accessible for it to be encrypted and if not accessible after several attempts this will be logged on C:\oz_nqjjp.log

Target Extension:

.dll
.exe
.sys
.mui
.tmp
.lnk
.config
.manifest
.tib
.old

It avoids encrypting files found in the folder %Windows%.

Ransomnote:

Details

Available Solution

VSAPI and TrendX

VSAPI/SMART	Pattern	Detection/Policy/Rules	Pattern branch/version	Released date/time
	TrendX	Troj.Win32.TRX.XXPE50F13007 TROJ.Win32.TRX.XXPE50FLM005	N/A	April 16, 2019
	VSAPI	Ransom.Win32.CORTEX.SM Ransom.Win32.CORTEX.A Ransom.Win32.CORTEX.B Ransom.BAT.CORTEX.D Worm.BAT.CORTEX.A Trojan.BAT.CORTEX.A Ransom.BAT.CORTEX.B Ransom.BAT.CORTEX.A Ransom.Win32.CORTEX.A.note	ENT OPR 14.989.03	May 9, 2019

Behavior Monitoring

Behavioral Monitoring	Pattern	Detection/Policy/Rules	Pattern branch/version	Released date
	AEGIS	PA5965S - checks for the dropped ransom note and .tsv file in rootdir	TMTD OPR 1899	May 10, 2019
	AEGIS	RAN2922S - Multiple Forced Taskkill Commands	TMTD OPR 1899	May 10, 2019

Anti-Spam and Web Protection

Email Protection	Subject	MD5	Pattern branch/version	Released date
Email Protection	N/A	N/A	N/A	N/A

URL Protection	URL	Category	Blocking Date
URL Protection	N/A	N/A	N/A

Solution Map

Product	Version	Virus Pattern	Behavior Monitoring	TrendX
Apex One and Apex Central	SaaS and On Premise	Turn On Real Time Scan via Apex Central	Turn On Ransomware Protection Features via Apex Central	Turn On Predictive Machine Learning via Apex Central
OfficeScan	XG and above	Turn On Real Time Scan/ Update Patterns via Web Console	Turn On Ransomware Protection Features /Update Pattern via Web console	Turn On Predictive Machine Learning via Web Console
OfficeScan	11 SP1	Turn On Real Time Scan/ Update Patterns via Web Console	Turn On Ransomware Protection Feature/Update Pattern via Web console
Deep Security	11	Enable Anti-Malware Policies and Turn on Real Time Scan in Deep Security Manager	Configure Anti Malware Policies and Enable Ransomware Protection Modules in Deep Security Manager	Enable Predictive Machine Learning in Deep Security Manager
Deep Security	10	Enable Anti-Malware Policies and Turn on Real Time Scan in Deep Security Manager	Configure Anti Malware Policies and Enable Ransomware Protection Modules in Deep Security Manager
Worry-Free Business Security	Services (SaaS)	Turn On Real Time Scan via Web Console	Turn On Ransomware Protection Features via Web console	Turn On Predictive Machine Learning via Web Console
Worry-Free Business Security	10 and Above	Turn On Real Time Scan/ Update Patterns via Web Console	Turn On Ransomware Protection Features /Update Pattern via Web console	Turn On Predictive Machine Learning via Web Console