By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A new ransomware has been discovered called MegaCortex that is targeting corporate networks and the workstations on them. Once a network is penetrated, the attackers infect the entire network by distributing the ransomware using Windows domain controllers. In a new report, Sophos has stated that they have seen customers in the United States, Italy, Canada, France, the Netherlands, and Ireland being infected with this new ransomware. As this is a fairly new ransomware, not much is currently known about its encryption algorithms, exactly how attackers are gaining access to a network, and whether ransom payments are being honored. As Sophos has found that the Emotet or Qakbot Trojans have been present on networks that have also been infected with MegaCortex, it may suggest that the attackers are paying Trojan operators for access to infected systems in a similar manner as Ryuk. While it is not 100% clear how bad actors are gaining access to a network, victims have reported to Sophos that the attacks originate from a compromised domain controller. On the domain controller, Cobolt Strike is being dropped and executed to create a reverse shell back to an attacker's host. Using this shell, the attackers remotely gain access to the domain controller and configure it to distribute a copy of PsExec, the main malware executable, and a batch file to all of the computers on the network. It then executes the batch file remotely via PsExec. When encrypting a computer, the ransomware will append an extension, which in one case is .aes128ctr,  to encrypted file's names. For more detailed information visit OUR FORUM.

 

GTranslate