MegaCortex Redesign Signals $5.8m Challenge to Firms
A new version of Matrix-themed ransomware MegaCortex is targeting organizations with demands of up to $5.8m to regain access to their encrypted data, according to Accenture researchers.
In version two, the authors have improved automation and usability and made it harder to stop, according to Leo Fernandes, senior manager of the firm’s iDefense Malware Analysis and Countermeasures (MAC) team.
One major change is the removal of a password requirement for installation. It is now hard-coded into the binary.
“The original version of MegaCortex had its main payload protected by a custom password that was only available during a live infection. As a result, this feature made the malware difficult for security vendors to analyze,” he explained.
“However, the password requirement also prevented the malware from being widely distributed worldwide and required the attackers to install the ransomware mostly through a sequence of manual steps on each targeted network.”
The ransomware has also been redesigned to self-execute, and there are some new anti-analysis features in the main module, as well as a more streamlined way to “stop and kill a wide range of security products and services.” These no longer need to be manually executed as batch script files on each host.
“The changes in version two suggest that the malware authors traded some security for ease of use and automation. With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation,” Fernandes explained.
“Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through e-mail campaigns or dropped as secondary stage by other malware families.”
This would be bad news for businesses given the current demand for ransom money is anywhere between two and 600 Bitcoins: around $20,000-$5.8m.
First revealed in May this year, the MegaCortex ransom note contained various references to cult '90s film The Matrix, while the name itself echoes that of the company (MetaCortex) where hero Neo works .
Source: Information Security Magazine