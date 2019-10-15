When our team took charge of the IR process, we chose to deploy an endpoint detection and response (EDR) tool to help determine the scope of the incident and collect more data. This process allowed us to identify additional compromised devices and list network user accounts taken over by the attackers for lateral movement through the network.

Looking into forensic data, X-Force IRIS identified a PowerShell payload that was initiating the communications with the suspicious IP address. PowerShell is a legitimate tool that’s installed on user devices as part of the Windows operating system. Unfortunately, it is increasingly abused by an array of threat actors for malicious communication and lateral movement as part of what’s known as living off the land tactics.

As the analysis deepened, we revealed that the threat actor involved had already gained privileged account access on the network. Indicators of compromise (IoCs) collected pointed to a ransomware campaign that targets enterprise networks. That campaign is known as MegaCortex, a ransomware family that targets corporate networks and servers containing the company’s data and resources. In one recent case of a MegaCortex infection, the victimized organization was asked to pay USD 5.8 million in ransom charges to obtain the decryption keys to its hijacked data.

MegaCortex has been evolving in the past weeks, scaling from manual attacks to a more automated variant that, unlike the previous version, can be installed without requiring a password. The malware’s developers also added anti-analysis features to its arsenal to thwart detection. With distribution by gang-owned Trojans such as QakBot and Emotet in past campaigns, MegaCortex can be linked to professional malware-wielding threat actors from Eastern Europe.