Matrix-Themed Ransomware Spikes in May

Security experts are warning organizations of a new, highly targeted ransomware strain known as MegaCortex, which appears to have been written by a fan of ‘90s cult film The Matrix.

Although the ransomware first appeared at the start of the year, there appears to have been a major recorded spike on May 1, according to UK security company Sophos.

Of the 76 attacks confirmed since February, 47 happened over the past few days, according to principal researcher, Andrew Brandt.

Enterprise networks in the US, Italy, Canada, France, the Netherlands, and Ireland have so far been targeted.

There seems to be a crossover between victims of Emotet and Qbot malware and those targeted in this campaign, although Sophos can’t be sure of the correlation.

Victim organizations report attacks coming from a compromised domain controller (DC), which the hackers may have accessed via stolen admin credentials.

“The attacker issues commands via the compromised DC, which the attacker is remotely accessing using the reverse shell,” explained Brandt.

“The DC uses WMI to push the malware — a copy of PsExec renamed rstwg.exe, the main malware executable, and a batch file — to the rest of the computers on the network that it can reach, and then runs the batch file remotely via PsExec.”

That batch file is a list of commands to terminate 44 processes and 189 services and disable 194 services — in so doing, preventing anything that would stop the ransomware running including security tools.

Finally, the batch file launches winnit.exe to drop and execute the DLL payload.

There’s no actual figure quoted in the ransom demand: instead the authors offer a ‘consultation’ on how to improve the victim organization’s cybersecurity.

To help mitigate the risk of infection, Sophos recommended putting any machines using RDP behind a VPN, and to employ two factor authentication (2FA) to replace all admin passwords.

The ransom note itself apparently contains numerous references to The Matrix and the name of the ransomware echoes that of the company where hero Neo works in the film: MetaCortex.

What’s Hot on Infosecurity Magazine?