A new strain of ransomware called MegaCortex has been found targeting attacks against entities in the US, Canada, France, Netherlands, Ireland, and Italy. The ransomware uses both automated as well as manual components in an effort to infect as many victims as possible.

According to security researchers at Sophos, who discovered the new MegaCortex campaign, the cybercriminals operating the ransomware appear to be fans of the movie Matrix, as the ransom note “reads like it was written in the voice and cadence of Lawrence Fishburne’s character, Morpheus.”

“The malware also employs the use of a long batch file to terminate running programs and kill a large number of services, many of which appear to be related to security or protection, which is becoming a common theme among current-generation ransomware families,” Sophos researcher Andrew Brandt said in a report.

FBI-malware
Hackers shut down two major gaming networks Christmas Day, much to the chagrin of holiday gamers everywhere. Reuters

The ransomware first appeared in January 2019, when it was uploaded on VirusTotal. MegaCortex attacks have kept escalating since then.

Since February, 76 confirmed MegaCortex attacks have been detected, of which, 47 attacks occurred just last week. Each of the attacks targeted a specific entity and may have compromised hundreds of systems.

“While the ransom note doesn’t mention a price the criminals are demanding, they do offer the victims “a consultation on how to improve your companies (sic) cyber security” and “a guarantee that your company will never be inconvenienced by us” — you know, in the future, after this really big inconveniencing they’re engaged in is all through,” Brandt wrote.

Sophos researchers believe that MegaCortex may have some links to the Emotet Qbot malware networks, although it is still unclear whether the malware strains are aiding MegaCortex in some way. Both Emotet and Qbot can serve as a malware delivery mechanism. Emotet has previously been used as such to deliver the Trickbot malware.

Some security experts believe that MegaCortex is being delivered via the malware loader Rietspoof, ZDNet reported. Sophos researchers believe that the attackers operating MegaCortex may also begin abusing Remote Desktop Protocol (RDP) to access and gain control of victims' machines. The researchers urged users to protect RDP machines by placing them behind a VPN.

“We’re still trying to develop a clearer picture of the infection process, but for now, it appears that there’s a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims’ networks with both Emotet and Qbot,” Brandt said. “As the attack seems to indicate that an administrative password was abused by the criminals, we also recommend the widespread adoption of two-factor authentication for everything that currently requires just a password, and can use 2FA.”

RELATED STORIES
Canada Ransomware Cybercrime Security