Itpa webheader

MegaCortex ransomware uncovered in Australia

By Dylan Bushell-Embling
Monday, 06 May, 2019

MegaCortex ransomware uncovered in Australia

A new strain of ransomware has been detected infecting computers in Australia and multiple other markets, according to Sophos.

The ransomware, named MegaCortex, is unique in its heavier use of automated tools coupled with a manual component, in order to spread the infection to more victims more quickly.

Sophos’s ongoing investigation into the MegaCortex attacks suggests a correlation between the attacks and the presence on the same network as both Emotet and Qbot malware families, the company said.

Both malware have the ability to serve as a delivery vehicle for additional malware. Notably, Emotet is itself closely associated with the Trickbot credential stealing malware. But there has not yet been direct evidence that either malware is the source of the ransomware infections.

Victims instead report that the attacks were initiated from a compromised domain controller, and involved the use of stolen administrator credentials to execute a PowerShell script with three layers of obfuscation.

Behind this obfuscation is what appears to be a Cobalt Strike script that opens a Meterpreter reverse shell into the victim’s network, Sophos said. The attacker then uses the compromised domain controller to remotely issue commands to push and run a batch file on the rest of the computers on the network within reach.

This batch file is a list of commands to kill 44 processes and stop and disable nearly 200 different services, including a range of popular security software, and then finally launch a previously downloaded executable designed to drop and execute the DLL payload responsible for the malicious encryption.

Unlike most ransomware, the notification generated by MegaCortex does not include a demand for a specific sum. It instead invites victims to email two addresses for more information. The attackers also claim they will provide a “guarantee” that the victim will never again be attacked, as well as a “consultation on how to improve your companies [sic] cyber security”.

“We suspect this is your script kiddie/living-off-the-land ‘mega bundle’ and a good example of what we’ve lately been calling cybercriminal pen-testing. The MegaCortex attackers have taken the blended threat approach and turned it up to 11, by increasing the automated component to target more victims,” Sophos Senior Security Advisor John Shier said.

“Once they have your admin credentials, there’s no stopping them. Launching the attack from your own domain controller is a great way for the attackers to inherit all the authority they need to impact everything in an organisation. Organisations need to pay attention to basic security controls and perform security assessments, before the criminals do, to prevent attackers like these from slipping through.”

Sophos has issued recommendations including prioritising alerts about Emotet or Qbot infections, ensuring remote desktop protocol is protected behind a VPN, implementing two-factor authentication for administrative passwords, keeping regular backups of data, and using specific ransomware protection software.

Image credit: ©

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to

Related News

Microsoft ready to release next Windows 10 update

Microsoft has revealed it is ready to release a relatively feature-sparse Windows 10 November...

Tamper Protection added to Windows Security

Microsoft has added a new Tamper Protection feature that will be enabled by default on the free...

Drupalgeddon2 flaw still being exploited

Akamai researchers have uncovered an attack campaign seeking to exploit the critical...

  • All content Copyright © 2019 Westwick-Farrow Pty Ltd