MegaCortex
MegaCortex is ransomware that first appeared in May 2019. [1] MegaCortex has mainly targeted industrial organizations. [2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 |
MegaCortex has added entries to the Registry for ransom contact information.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
MegaCortex has used a Base64 key to decode its components.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
MegaCortex has used |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
MegaCortex was used to kill endpoint security processes.[1] |
| Enterprise | T1486 | 数据加密以实现影响 |
MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.[1][4] |
|
| Enterprise | T1083 | 文件和目录发现 |
MegaCortex can parse the available drives and directories to determine which files to encrypt.[1] |
|
| Enterprise | T1489 | 服务停止 |
MegaCortex can stop and disable services on the system.[1] |
|
| Enterprise | T1106 | 本机API |
After escalating privileges, MegaCortex calls |
|
| Enterprise | T1561 | .001 | 磁盘擦除: Disk Content Wipe |
MegaCortex can wipe deleted data from all drives using |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
MegaCortex has used |
| Enterprise | T1490 | 系统恢复抑制 |
MegaCortex has deleted volume shadow copies using |
|
| Enterprise | T1588 | .003 | 获取能力: Code Signing Certificates |
MegaCortex has used code signing certificates issued to fake companies to bypass security controls.[1] |
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.[1] |
| Enterprise | T1134 | 访问令牌操控 |
MegaCortex can enable |
|
| Enterprise | T1531 | 账号访问移除 |
MegaCortex has changed user account passwords and logged users off the system.[1] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
MegaCortex loads |
References
- Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
- Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.
- Brubaker, N. Zafra, D. K. Lunden, K. Proska, K. Hildebrandt, C.. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved February 15, 2021.
- ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021.