silversurfer

Level 53
Verified
Trusted
Content Creator
Malware Hunter
A sample of the ransomware called MegaCortex that is known to target the enterprise in targeted attacks has been found and analyzed. In this article, we will provide a brief look at the MegaCortex Ransomware and how it encrypts a computer.

When modern ransomware were first released, attackers would distribute the malware in a wide net in order to catch as many victims as possible. Over the past year, ransomware has evolved into more targeted enterprise attacks that have been earning extremely large payouts. Due to these payouts, we continue to see new players in the targeted ransomware scene.

While Ryuk, BitPaymer, and Sodinokibi have become commonly known as "enterprise ransomware", the MegaCortex Ransomware less known. This article will hopefully shed some light on how it operates
Read more below:
 

JB007

Level 17
Verified
Just waiting until tonight and probably almost all common AVs will be detect it by signatures!
Currently, it may be already known to cloud-detections by some more AVs or even would be intercepted by Behavior-Blockers...
Hello @silversurfer
I'm sure that you are right but waiting 12 or more hours before being detected by the "best" anti-virus gives me great chills :unsure:
 

silversurfer

Level 53
Verified
Trusted
Content Creator
Malware Hunter
Hello @silversurfer
I'm sure that you are right but waiting 12 or more hours before being detected by the "best" anti-virus gives me great chills :unsure:
I meant, you don't have to worry about signatures-protection of any AV, because probably even more AVs already detects by BB or cloud, which aren't always included by all AV vendors on VT. In case of Behavior-Blocker-Detection seems to be never included by any AV there on VirusTotal.
 

JB007

Level 17
Verified
I meant, you don't have to worry about signatures-protection of any AV, because probably even more AVs already detects by BB or cloud, which aren't always included by all AV vendors on VT. In case of Behavior-Blocker-Detection seems to be never included by any AV there on VirusTotal.
Thanks @silversurfer
I'm not sure to know how VT works ??? :unsure:
Just checked and got 22/67 ! included Bitdefender and G Data but not Kaspersky, Eset, F-Secure...:eek:
 

Burrito

Level 21
Verified
That's right, VT based on signatures, there is no behavior detector.
Yes Bribon77.

And I looked it up... here is the deal..

‘At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being: ‘VirusTotal’s antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal fi rewalls that may decrease entry points and mitigate propagation, etc. ‘In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups. ‘Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company’s desire) with a different heuristic/aggressiveness level than the official end-user default configuration. ‘These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea.’

So VT is much like our testing in Malware Hub.... there is some good info that is produced, but it's not really complete data. Still informative and interesting nonetheless.
 

bribon77

Level 29
Verified
So VT is much like our testing in Malware Hub.
I think this case is NOT. The tests in Malware Hub. The complete AV is installed in a virtual machine and the Av has all the functions including the behavior detector.
While in VT only based on the signatures, what has already been detected is included in the base of firnas.What can happen hours to include it.
 

Burrito

Level 21
Verified
I think this case is NOT. The tests in Malware Hub. The complete AV is installed in a virtual machine and the Av has all the functions including the behavior detector.
While in VT only based on the signatures, what has already been detected is included in the base of firnas.What can happen hours to include it.
As Fabian from Emsisoft once remarked.... 'malware doesn't just appear.'

There is an attack vector.

Does the malware come in through email, from an ad, from a drive-by, from a USB, through Office... does the malware show a certain behavior at a point in the process..

Suites can defend against multiple types of attack by multiple methods at multiple points.

Mostly in Malware Hub... malware just appears.
 
Last edited:

silversurfer

Level 53
Verified
Trusted
Content Creator
Malware Hunter
I think this case is NOT. The tests in Malware Hub. The complete AV is installed in a virtual machine and the Av has all the functions including the behavior detector.
While in VT only based on the signatures, what has already been detected is included in the base of firnas.What can happen hours to include it.
Agree, except the full power of web-protections we cannot testing correctly because the files aren't downloads (drive-by) from the web.
 
Last edited: