MegaCortex ransomware distracts victims with Matrix film references

Security

It’s easy to forget that malware authors are regular human beings with hobbies and interests – not that different from their many victims, in fact.

Take the contrived tendency to embed references to popular culture in malware – as the creator behind a new type of ransomware called MegaCortex has done.

Film buffs will recall that MegaCortex is the faceless software corporation that employs Neo, the hero-hacker who swallows the red pill in The Matrix, itself a veiled pop-philosophical reference to notions of choice and free will.

In the case of MegaCortex, instances of which SophosLabs has noticed ticking up significantly in the last week, the idea of choice-under-pressure is apt. Anyone infected is confronted with a ransom note written in the style reminiscent of The Matrix’s Morpheus character:

Your companies (sic) cyber defense systems have been weighed, measured and have been found wanting. The breach is the result of grave neglect of security protocols.

And:

We can only show you the door. You’re the one who has to walk through it.

The posturing pomposity is, of course, all part of a psychological game in which the attackers attempt to project the idea that they, not the victim, are in control.

One moment, the defenders’ network looked secure. The next, as if out of nowhere, the ransom note pops up. For any organisation that isn’t anticipating this sort of attack, it’s easy to be put at a disadvantage by such a surprise tactic.

The tactic is to keep defenders in this state for as long as possible using distraction, ideally until they pay up. If that means bombarding them with gratuitous film references, so be it.

The desert of the real

Strip away the pretence and vanity and MegaCortex is simply an example of the ransomware modus operandi, which after its early boom a few years ago has become increasingly, and often highly, targeted.

For example, at least one of the attacks detected by SophosLabs in recent days used credentials stolen from a domain controller, which implies that the attackers were ‘hands on’.

It also underlines that they spent time looking for those credentials, which was point zero for the whole attack.

SophosLabs speculates that there is a correlation between MegaCortex and Emotet and Qbot malware on the same network, which might be acting as its delivery system.

That has yet to be confirmed, but if correct it would be just the latest example of how vicious ransomware can appear unbidden on the back of larger distribution platforms.

MegaCortex is a good example of industrial ransomware that isn’t going away even if attention has moved on to what look like bigger and badder things.

In recent months, here at Naked Security we covered a number of severe attacks, including that on a swathe of US newspapers that delayed their publication, and more recently, GandCrab.

Avoiding ending up as another stat on the victim list takes some work, a checklist for which you can read on our coverage of the prolific and distinctively manual SamSam.

There no simple takeaway from this so much as lots of small ones that can make the difference. However, paying close attention to the security of privileged accounts is a good place to start.

As The Matrix’s Morpheus observed:

Believe me when I say we have a difficult time ahead of us. But if we are to be prepared for it, we must first shed our fear of it.

Sophos protects

Sophos Antivirus detects these samples as Bat/Agent-BBIY, Troj/Agent-BBIZ, Troj/Agent-BAWS, and Troj/Ransom-FJQ. Sophos Intercept X protects against MegaCortex ransomware.

Products You May Like

Articles You May Like

Game of Thrones petition reaches 1M signatures ahead of finale
What the ban on facial recognition tech will – and will not – do
Snap, which has yet to release a diversity report, hires its first head of D&I
Don’t Let Airbnb Scams Stop Your Summer Travel Plans
Equity transcribed: Away’s $1.4B valuation and CrowdStrike’s S-1

Leave a Reply

Your email address will not be published. Required fields are marked *