MegaCortex Ransomware Strain Summons Morpheus To Hold Data Hostage In The Matrix
Where is Neo when you need him? We don't have an answer for that, but Morpheus has been making an appearance on some business PCs, just not in the manner you might think. His mug is part of a message that is delivered by a new ransomware strain called "MegaCortex," which is a misspelled reference to MetaCortex, the faceless software company in The Matrix where Neo worked at.
This is not the kind of sequel or reboot that fans might have been hoping for. Security outfit Sophos says it recently saw a "jolt of life" from this ransomware strain, with a spike in the number of attacks around the world, including Canada, France, Ireland, Italy, the Netherlands, and the United States. Those behind MegaCortex are employing "sophisticated techniques" to infect systems.
According to Sophos, MegaCortex uses a "convoluted infection methodology," leveraging "both automated and manual components." Initial analysis appears to reveal a high amount of automation to infect as many users as possible, the company says.
"In attacks we’ve investigated, the attackers used a common red-team attack tool script to invoke a meterpreter reverse shell in the victim’s environment. From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initial dropped malware) on specified machines," Sophos explains.
In at least one instance, it appears the attacker obtained an administrator's login credentials to launch an an attack from a domain controller inside an enterprise network. This is a particularly nasty strain that also employs the use of a long batch file to terminate running programs and kill a large number of services, most of which appear to be related to security.
Those infected see a picture of actor Laurence Fishburne portraying Morpheus, with a message that reads as though the character in The Matrix is saying it.
"We ensure that the only way to retrieve your data swiftly and securely is with our software. Restoration of your data requires a private key which only we possess. Don't waste your time and money purchasing third-party software, without the private key they are useless," the message reads.
Interestingly, Sophos says there is a strong correlation between MegaCortex and the recently reported Qakbot (also known as Qbot) password stealing malware, along with another called Emotet. The company says anyone seeing alerts for either should take it as a high priority to address.
"Both of those bots can be used to distribute other malware, and it's possible that's how the MegaCortex infections got their start," Sophos says.
It's not clear how much the culprits are seeking when demanding a ransom. On the bright side, they're not asking anyone to swallow a choice of pills, which we highly advise avoiding if ever presented with the option.