The Day MegaCortex Ransomware Mayhem Was Averted

October 15, 2019
|
co-authored by Limor Kessem
|
5 min read

Averting cyberattacks planned out by aggressive threat actors is no easy feat for any organization, and much less for incident response (IR) teams who are usually called in after the attack has caused damage. IBM X-Force Incident Response and Intelligence Services (IRIS) analysts know this firsthand. The problem with this approach is that when an attack is already underway, response teams have to play catch-up to mitigate the situation.

This post will highlight the benefits of reporting early and escalating suspicious indicators to responders by diving into a recent case where a ransomware attack by MegaCortex was stopped in its tracks.

Cloudy With a Chance of CobaltStrike

In recent response operations, IBM X-Force IRIS was alerted by a client organization to respond to a possible security breach within their network based on suspicious network traffic communicating with a known malicious IP address associated with illicit CobaltStrike activity. While inherently built for use in adversary simulations and red team operations, attackers commonly leverage this commercial penetration testing framework for malicious purposes. In the case at hand, CobaltStrike was what we uncovered to be the tool that facilitated command-and-control (C&C) on compromised systems and used for lateral movement within the compromised environment.

When the suspicious communication was detected, the security team of the organization alerted its incident response service immediately, which was critical to the timing and detection of a ransomware campaign that, we then realized, was already underway.

A MegaCortex in PowerShell Clothing

When our team took charge of the IR process, we chose to deploy an endpoint detection and response (EDR) tool to help determine the scope of the incident and collect more data. This process allowed us to identify additional compromised devices and list network user accounts taken over by the attackers for lateral movement through the network.

Looking into forensic data, X-Force IRIS identified a PowerShell payload that was initiating the communications with the suspicious IP address. PowerShell is a legitimate tool that’s installed on user devices as part of the Windows operating system. Unfortunately, it is increasingly abused by an array of threat actors for malicious communication and lateral movement as part of what’s known as living off the land tactics.

As the analysis deepened, we revealed that the threat actor involved had already gained privileged account access on the network. Indicators of compromise (IoCs) collected pointed to a ransomware campaign that targets enterprise networks. That campaign is known as MegaCortex, a ransomware family that targets corporate networks and servers containing the company’s data and resources. In one recent case of a MegaCortex infection, the victimized organization was asked to pay $5.8 million in ransom charges to obtain the decryption keys to its hijacked data.

MegaCortex has been evolving in the past weeks, scaling from manual attacks to a more automated variant that, unlike the previous version, can be installed without requiring a password. The malware’s developers also added anti-analysis features to its arsenal to thwart detection. With distribution by gang-owned Trojans such as QakBot and Emotet in past campaigns, MegaCortex can be linked to professional malware-wielding threat actors from Eastern Europe.

Financial or Destructive Motives?

With a rise in destructive attacks, it is often possible that an attacker’s intent goes beyond financial gain. Destructive components of the attack can arise as the main motive or as a secondary reaction to a victim that won’t pay.

According to X-Force IRIS’s analysis, the attack we investigated did not appear financially motivated overall and had the potential of a destructive attack. We concluded that it was only a matter of time until the ransomware bomb would explode, and time was of the essence to start a containment plan.

When facing a situation with malicious actors already deep in the network, a security team must be extra vigilant and cautious not to reveal to the attacker that the intrusion has been discovered. To prepare for an abrupt launch of the ransomware attack, teams should be ready to execute system isolation and C&C blocking, disable the compromised privileged accounts, and reset passwords — all while containing with clarity and speed.

MegaCortex D-Day

The MegaCortex attack attempted to hit the compromised organization a few days after the initial detection of suspicious communication with an external IP address. D-Day was set to a predefined time, with attackers working manually to deploy the malware in batches on a Saturday, likely to ensure that minimal response from the security team could come to the rescue and contain the onslaught.

To launch the process, the MegaCortex malware was uploaded in a file signed with a stolen code-signing certificate. The attackers planned to deploy the malware on more than 20,000 devices using the Windows Management Interface Command (WMIC) and relying on the accounts they had compromised in preparation of the launch.

Averting Ransomware’s Destructive Effects

With early detection and readiness, the MegaCortex attack that could have affected thousands of devices and taken months to remediate was averted.

Rapid containment was possible in this case thanks to the early identification and escalation of suspicious signs to an incident response team. The subsequent preparation saved the company the operational and remediation costs that could potentially reach hundreds of millions of dollars, depending on the disruption and destructive results the attack would have caused. Had this attack developed into the destructive phase, the cost could have been much worse, totaling $239 million on average, according to X-Force data.

3 Factors Critical to Attack Mitigation and Containment

Ransomware attacks, a threat that has been seeing immense growth in the enterprise realm, have more than doubled in 2019. Each of these incidents can be a widely disruptive ordeal for an organization of any size. Making an effort to detect early signs of an attack and acting on them can make a big difference.

Here are three factors proven critical to the mitigation of ransomware attacks:

  1. Early detection — Early alerting on the discovery of suspicious activity and immediate engagement of your IR team can make a world of difference in what ensues.
  2. Endpoint visibility — Though other security tools may alert about a potential compromise, an adequate EDR platform can help reveal the scope of the attack and the ways by which it continues to spread. This information, in turn, can help contain the attack and prevent further damage.
  3. An IR team ready to act and incident response playbooks — Finding out an attacker is about to launch a devastating attack on your organization and having to wait to act can be a nerve-wrecking process. To manage reactions at the time of a crisis, it is essential to have an experienced incident response team ready to act while being prepared with runbooks for scenarios most likely to affect your organization. These elements are part of what helps make more sound decisions and results in the event of a crisis.

Post-attack, teams are advised to monitor for renewed attempts to compromise their network and apply controls where necessary.

Gaining the Upper Hand

All too often, incident response teams are called in to help when it’s too late and the damage has already been done. As our X-Force IRIS team moves to analyze the attack, contain and remediate, there is often nothing we can do to go back in time and prevent it.

But not all cases have to begin with the attacker having the upper hand. In today’s state of affairs, with a 30 percent chance of suffering an attack, we must turn our sights to learning how to respond faster and better to improve our chances of averting the attempts of sophisticated, motivated attackers.

Figure 1: Likelihood of experiencing a breach of at least 10,000 records over the next 24 months (Source: Ponemon Institute)

Keep up to date on MegaCortex and other threats by joining our team on X-Force Exchange. To see IoCs from recent campaigns, search MegaCortex.

Matthew DeFir
IR Function Lead - IBM X-Force Incident Response & Intelligence Services (IRIS)

Matthew DeFir is the North American IR Function Lead with IBM's X-Force Incident Response and Intelligence Services (IRIS) team. Prior to joining IRIS, Matth...
read more