Elusive MegaCortex Ransomware Found - Here is What We Know

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
A sample of the ransomware called MegaCortex that is known to target the enterprise in targeted attacks has been found and analyzed. In this article, we will provide a brief look at the MegaCortex Ransomware and how it encrypts a computer.

When modern ransomware were first released, attackers would distribute the malware in a wide net in order to catch as many victims as possible. Over the past year, ransomware has evolved into more targeted enterprise attacks that have been earning extremely large payouts. Due to these payouts, we continue to see new players in the targeted ransomware scene.

While Ryuk, BitPaymer, and Sodinokibi have become commonly known as "enterprise ransomware", the MegaCortex Ransomware less known. This article will hopefully shed some light on how it operates
Read more below:
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
Hello,
ESET, F-Secure, Kaspersky, Bitdefender, G Data did not detect this threat :eek:

Welll...... maybe.

I believe (but I'm not sure) that Virus Total works off strictly hashes or signatures. So an AVs ability to detect it using a behavior block would not be reflected.

Maybe somebody with more VT knowledge can jump in and tell me if that is correct.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Hello,
ESET, F-Secure, Kaspersky, Bitdefender, G Data did not detect this threat :eek:
Just waiting until tonight and probably almost all common AVs will be detect it by signatures!
Currently, it may be already known to cloud-detections by some more AVs or even would be intercepted by Behavior-Blockers...
 

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,574
Just waiting until tonight and probably almost all common AVs will be detect it by signatures!
Currently, it may be already known to cloud-detections by some more AVs or even would be intercepted by Behavior-Blockers...
Hello @silversurfer
I'm sure that you are right but waiting 12 or more hours before being detected by the "best" anti-virus gives me great chills :unsure:
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Hello @silversurfer
I'm sure that you are right but waiting 12 or more hours before being detected by the "best" anti-virus gives me great chills :unsure:
I meant, you don't have to worry about signatures-protection of any AV, because probably even more AVs already detects by BB or cloud, which aren't always included by all AV vendors on VT. In case of Behavior-Blocker-Detection seems to be never included by any AV there on VirusTotal.
 

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,574
I meant, you don't have to worry about signatures-protection of any AV, because probably even more AVs already detects by BB or cloud, which aren't always included by all AV vendors on VT. In case of Behavior-Blocker-Detection seems to be never included by any AV there on VirusTotal.
Thanks @silversurfer
I'm not sure to know how VT works ??? :unsure:
Just checked and got 22/67 ! included Bitdefender and G Data but not Kaspersky, Eset, F-Secure...:eek:
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Welll...... maybe.

I believe (but I'm not sure) that Virus Total works off strictly hashes or signatures. So an AVs ability to detect it using a behavior block would not be reflected.

Maybe somebody with more VT knowledge can jump in and tell me if that is correct.
That's right, VT based on signatures, there is no behavior detector.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
That's right, VT based on signatures, there is no behavior detector.

Yes Bribon77.

And I looked it up... here is the deal..

‘At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being: ‘VirusTotal’s antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal fi rewalls that may decrease entry points and mitigate propagation, etc. ‘In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups. ‘Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company’s desire) with a different heuristic/aggressiveness level than the official end-user default configuration. ‘These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea.’


So VT is much like our testing in Malware Hub.... there is some good info that is produced, but it's not really complete data. Still informative and interesting nonetheless.
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
So VT is much like our testing in Malware Hub.

I think this case is NOT. The tests in Malware Hub. The complete AV is installed in a virtual machine and the Av has all the functions including the behavior detector.
While in VT only based on the signatures, what has already been detected is included in the base of firnas.What can happen hours to include it.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
I think this case is NOT. The tests in Malware Hub. The complete AV is installed in a virtual machine and the Av has all the functions including the behavior detector.
While in VT only based on the signatures, what has already been detected is included in the base of firnas.What can happen hours to include it.

As Fabian from Emsisoft once remarked.... 'malware doesn't just appear.'

There is an attack vector.

Does the malware come in through email, from an ad, from a drive-by, from a USB, through Office... does the malware show a certain behavior at a point in the process..

Suites can defend against multiple types of attack by multiple methods at multiple points.

Mostly in Malware Hub... malware just appears.
 
Last edited:

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
I think this case is NOT. The tests in Malware Hub. The complete AV is installed in a virtual machine and the Av has all the functions including the behavior detector.
While in VT only based on the signatures, what has already been detected is included in the base of firnas.What can happen hours to include it.
Agree, except the full power of web-protections we cannot testing correctly because the files aren't downloads (drive-by) from the web.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top