Large Enterprises Targeted in Major MegaCortex Ransomware Campaign

A new strain of MegaCortex ransomware is being used in targeted attacks on large enterprises. The campaign has seen a large number of attacks performed in the past week according to Sophos.

MegaCortex ransomware first surfaced in January 2019 and since then the number of attacks has grown steadily, although the past few days have seen a massive spike in attacks. Sophos reports that over a 48-hour period, 47 large enterprises were attacked across the United States, Canada, and Europe. At the time of posting, Sophos notes that there have been 76 confirmed attacks. That number will almost certainly have now grown.

This is the first time this variant of MegaCortex ransomware has been seen and the method of encryption and infection process are not yet fully understood. Sophos is still investigating, although a common denominator in several of the attacks was the ransomware appears to have been distributed across the entire network using a compromised Windows domain controller, with stolen admin credentials used to launch PowerShell scripts via the controller.

Some victims have reported that Cobalt Strike is being deployed and used to create a reverse shell back to the attacker’s host. This allows the attackers to configure the domain controller to distribute the malware executable along with a batch file and PsExec. PsExec is then used to run the batch file which launches the ransomware.

Sophos notes that the batch files used in the attacks stop almost Windows services and terminate processes prior to execution of the ransomware to help ensure the encryption process can proceed. Encrypted files are given the extension .aes128ctr and a corresponding .tsv file is created for each encrypted file with the same file name. The tsv files appear to contain encrypted session keys that are required to unlock the encryption.

Some attacks have seen the downloading of a malware loader named Rietspoof. It is currently unclear whether Rietspoof has been downloaded as a secondary payload or if Rietspoof has been used to download MegaCortex.

The attacks analyzed so far suggest that many of the attacked enterprises had already been infected with either the Qbot or Emotet Trojans, which suggests that the threat actors behind MegaCortex have teamed up with threat actors behind those Trojans and could be paying for access to enterprises.

Emotet has previously been used to download other malware variants, including Ryuk ransomware, so it is conceivable that those Trojans have been used to download MegaCortex.

In contrast to Ryuk and many other ransomware variants, when MegaCortex encrypts files, a ransom is not demanded as such. Instead, the threat actors offer the attacked entity consultancy services on how they can improve cybersecurity along with software that can decrypt the files. If that ‘offer’ is accepted, the attacks claim they will guarantee that the victim will not be attacked again.

To demonstrate that the attackers have the ability to decrypt files, victims are told to send two random files via email along with their corresponding .tsv file and they will be decrypted free of charge.

Unlike many other ransomware campaigns, it appears that brute force tactics are not being used to gain access to enterprise computers via RDP. However, Sophos recommends that RDP machines should only be accessible using a VPN.

Since several attacks have used compromised admin credentials, Sophos recommends using 2FA across the board on internal networks. Naturally, in case of infection, it is essential that regular backups of all critical data are made and that at least one backup copy is stored offline on a non-networked device to ensure file recovery is possible without having to make payment.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of