MegaCortex is ransomware that first appeared in May 2019. [1] MegaCortex has mainly targeted industrial organizations. [2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
MegaCortex can enable |
|
Enterprise | T1531 | Account Access Removal |
MegaCortex has changed user account passwords and logged users off the system.[1] |
|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
MegaCortex has used |
Enterprise | T1486 | Data Encrypted for Impact |
MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.[1][4] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
MegaCortex has used a Base64 key to decode its components.[1] |
|
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
MegaCortex can wipe deleted data from all drives using |
Enterprise | T1083 | File and Directory Discovery |
MegaCortex can parse the available drives and directories to determine which files to encrypt.[1] |
|
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
MegaCortex was used to kill endpoint security processes.[1] |
Enterprise | T1490 | Inhibit System Recovery |
MegaCortex has deleted volume shadow copies using |
|
Enterprise | T1112 | Modify Registry |
MegaCortex has added entries to the Registry for ransom contact information.[1] |
|
Enterprise | T1106 | Native API |
After escalating privileges, MegaCortex calls |
|
Enterprise | T1588 | .003 | Obtain Capabilities: Code Signing Certificates |
MegaCortex has used code signing certificates issued to fake companies to bypass security controls.[1] |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
MegaCortex loads |
Enterprise | T1489 | Service Stop |
MegaCortex can stop and disable services on the system.[1] |
|
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
MegaCortex has used |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.[1] |