SAINTCON 2019 Cyber Security Conference

In spring, 2019, Sophos detected a widespread ransomware attack using a malware that calls itself MegaCortex. The ransomware was spread around victims' networks using compromised Domain Admin credentials on domain controller computers to distribute it as if it were a software patch, using WMI. Subsequent analysis into both the attack and the malware itself showed the attack killchain was orchestrated using complex (and somewhat redundant) Windows batch files. The malware also featured a number of anti-analysis features, including a password string that was unique to the sample, and a hardcoded "active" time that analysts discovered: samples would not run in sandboxes unless the system date was changed to a three-hour window starting at around the same time the original attack began. But the MegaCortex phenomenon actually raised more questions than answers. There are significant similarities between the code style and behavior of other malware families in the MegaCortex samples we initially examined. There were also odd connections and false flag ties to completely unrelated malware families that sent researchers down a number of dead end rabbit holes. None of the questions of why the malware had these unique characteristics have been answered, and the low key nature of MegaCortex may mean we'll never understand its creators' motives.