A recently detected form of ransomware has been detected rapidly spreading across corporate networks in a new attack that may be related to a recent campaign targeting networks with remote access Trojan viruses.

The ransomware, called MegaCortex — a misspelling of the company Neo worked for in the original “The Matrix” movie — was first detected rapidly spreading by researchers at SophosLabs late last week.

MegaCortex is said to offer a number of unique features in its distribution that those behind it use, including a never-before-seen combination of automated tools and manual input to spread across networks. Usually, ransomware attacks are automated, manual or blended attacks with targeted attacks leaning more towards manual hacking techniques. MegaCortex heavily relies on automation coupled with a manual component.

Another different feature is that MegaCortex is being targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised in a previous attack using Emotet and Qbot malware. Emotet was last in the news in March. It was described as an advanced, modular banking trojan that primarily functions as a downloader or dropper of other banking trojans, but it can also be used to steal other types of data.

“If you are seeing alerts about Emotet or Qbot infections, those should take a high priority,” the researchers warned. “Both of those bots can be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start.”

The “Matrix” theme does not stop with the name of the ransomware. The ransom note itself involves text across a picture of Morpheus (pictured) a main character in the movie series.

Brandon Levene, head of applied intelligence at Chronicle LLC, the parent company of VirusTotal, told SiliconANGLE that MegaCortex may be related to the same people behind Rietspoof, a malware family first detected in August.

“While there are no earlier samples of MegaCortex available, the same signer certificate is used in both the Rietspoof loader and MegaCortex samples dating back to at least Jan. 22,” Levene explained. “This means it is highly likely that the people using Rietspoof with that signature are also using MegaCortex. I can’t say definitively that the same threat actors are behind both Rietspoof and Megacortex, but this finding solidifies a correlation.”

On ransomware targeting corporations, Levene noted that since the start of 2019, the “big-game hunting” technique used in the MegaCortex ransomware attacks has become increasingly common.

“As more and more lucrative targets remain accessible, I believe this trend will continue throughout the year,” Levene added. “Organizations cannot ignore commodity malware anymore as attackers increasingly use their beachhead access to execute highly lucrative (and damaging) attacks.”

Image: Sophos