LTS Secure Warning: Spike In Ransomware Attacks Against Large Corporate Networks

MegaCortex is the latest addition to the ransomware family & has been identified targeting large corporate networks in US, Canada, Italy, Netherlands, Etc. The malware makes use of the rundll32.exe (Used to perform encryption by default windows applications), which is a part of the windows ecosystem, which prevents the malwares from being detected by antivirus solutions.

 

Technical Details

Till now it is not clear how the hacker gained access to the network to deploy the ransomware, but once inside, the hacker drops two files:

  • Batch file: Used to terminate windows processes as well as stop & disable services that might interfere with the ransomware’s routines.
  • winnit.exe: Core Malware File.

Once the files have been executed, the malware will extract a DLL (Component used to encrypt the victims files) and execute it with the help of rundll32.exe. During the encryption process, the ransomware will append all the files with the extension “.aes128ctr”.

 

Impact

  • Loss of Productivity.
  • Downtime in Business Critical operations.
  • Temporary or Permanent loss of Sensitive/Confidential data.

 

Recommended Actions

  • Take system back-ups on regular intervals.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Regularly update your antivirus software & perform malware scans to protect against unknown threats
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Avoid Opening emails & attachments from unknown senders.