MegaCortex | Malware Authors Serve Up Bad Tasting Ransomware

This year’s uptick in new ransomware attacks continues with the emergence of the MegaCortex malware, first seen in May and engaging in targeted attacks on corporate networks throughout June and July 2019. Although the infection vector isn’t known at this time, it is likely spread through phishing emails, poisoned attachments or trojan installers. Analysis shows that MegaCortex makes a deliberate attempt to avoid both enterprise security solutions and specific business management software products and delivers a particularly unpleasant ransom note on top. In this post, we dig in to the MegaCortex ransomware and take it for a test drive on one of our endpoints.
 

Background to MegaCortex Ransomware

MegaCortex ransomware continues the recent trend of targeted ransomware specifically looking to compromise and extort money from enterprise victims.

The ransom demand starts out at 2-3 BTC, which at today’s prices represents somewhere in the region of US $20,000 – $30,000. The attackers warn that the demand could rise to as much as 600 BTC (about US $6 million), presumably if the victim tries to hold off paying or if the attackers think the victim can be coerced into paying so much.

image of bitcoin value

Analysis by researcher Vitali Kremez shows that MegaCortex has some interesting functions, including a process killer that targets a number of enterprise level programs such as the Proficy Suite Operations Management software and Gemalto digital identity services.

image of megacortex process killer

 
The MegaCortex ransomware also attempts to take a pot-shot at a number of SentinelOne processes, although as we will see below, the agent’s anti-tampering protection makes MegaCortex’s attempt to kill the SentinelOne processes quite unsuccessful.

Who is Behind MegaCortex Malware?

In order to get past basic security measures, the authors’ of the sample we obtained signed the file with a digital signature.

77ee63e36a52b5810d3a31e619ec2b8f5794450b563e95e4b446d5d3db4453b2

The sample was compiled on the 15th July, 2019, two days before appearing on VirusTotal, and bears a Thawte CA certificate, signed with the name “ABADAN PIZZA LTD”. The product is named “Pizza Napoletana”, described as a “Helper Library” (as we’ll see when we discuss the ransom note below, the authors’ appear to be quite the jesters…).

image of megacortex signed by abadan pizza

Abadan Pizza Ltd turns out to be the name of a UK registered company. It was originally registered, along with a number of other food-related businesses, to an address at 13, Mary Street in Sunderland, North East, England on May 3rd, 2017.

image of Abadan Pizzas in Sunderland

Five days later it changed its registered office to another small business address in Chester Road of the same city (pictured below) before changing it back to its original address in Mary Street in January of 2019. Although there are Italian restaurants in both locations, there doesn’t appear to be an actual shop front with the name ‘Abadan Pizza’ in either street at the time Google Maps drove by. Perhaps they moved into Gentlemen’s hairdressing, though, as there does appear to be an ‘Abadan Barbers’ shop at the second of the two registered addresses

image of megacortex abadan barber

Of course, the link between the name of the business and the name used to sign the malware is likely entirely coincidental and we have no evidence to suggest that the business owners have any knowledge or involvement with the MegaCortex malware. More than likely, they are random victims of the malware authors’ odd sense of humor. It remains an interesting speculation, though, as to whether the malware authors’ picked the name out of a random internet search from halfway across the world or whether the malware authors are or were at some time located in the vicinity of the Abadan Pizza company’s registered addresses.

We Don’t Work For Food!

As we’ve noted, the amount of ransom demanded is clearly aimed at enterprise customers, but MegaCortex’s ransom note also displays an unusual amount of unnecessary grandstanding. Rather than just getting down to business and ensuring the victim has clear incentives and instructions to pay like malware strains such as RobinHood ransomware do, MegaCortex chooses instead to first taunt and then mock its victims, explaining that – candidly, if callously enough – any appeals to the criminals’ better nature would be a waste of everyone’s time. Perhaps playing on the name of their adopted code signatory, Abadan Pizza, the ransom note mockingly tells the victim that they “don’t work for food”.

Remember ! We don’t work for food.
You have to pay for decryption in Bitcoins (BTC).
If you think you pay $500 and you’ll get the decryptor, you are 50 million light years away from reality 🙂
If you don’t have the money don’t even write to us.
We don’t do charity !

image of megacortex ransom note 3

The developers of MegaCortex demonstrate a clear understanding of business software suites and knowledge of enterprise security solutions. This suggests that the actors are not as immature as the language in the ransom note may be trying to suggest. The grammar errors in the ransom note also look somewhat artificial and inconsistent with the overall level of linguistic competency on display.

Demonstration of MegaCortex Ransomware

Let’s take a look at what happens on a victim’s machine when infected with MegaCortex. We’ll set the policy of the SentinelOne agent to “Detect only” so that we can observe the malware in action. Typically, however, enterprise customers would use the ‘Protect’ policy in a real deployment, which would not just detect the malware but also block its execution.

With the policy set to allow MegaCortex to run, we first see on the agent side that the ransomware begins scanning for files to infect.

image of megacortex scanning

At this point, the SentinelOne agent, which the malware failed to evade, is detected by the behavioral engine.

image of megacortex detected on agent

From the administrator’s or SOC analyst’s point of view, the SentinelOne management console alerts on the threat in the Dashboard. Looking at the analysis, the precise reason for the detection is given.

image of megacortex detection in console

The attack story line also reveals MegaCortex’s failed attempt to circumvent the SentinelOne agent.

image of megacortex fails to avoid sentinelone

At this point on the agent side, since we were using the Detect-only policy, the user’s files have been encrypted by the malware. However, now that we’ve seen enough of MegaCortex, it’s time to remediate the machine. One click rolls back the infection and returns all the user’s files to their unencrypted state.

image of megacortex rolled back

If you’d like to see the full demo in action, check out the video below.

Conclusion

Criminals motivated primarily by financial gain have returned to ransomware as their go-to choice of malware in 2019 as a result of both a resurgence in the value of Bitcoin and the decline of easy-money from cryptomining after the closure of Coinhive. This is a trend we expect to see continue throughout 2019 as ransomware attacks have proven devastatingly successful where enterprises are not protected by a comprehensive security solution like SentinelOne. If you’re not already protected by SentinelOne, now is a great time to try a free demo to see how our autonomous endpoint detection and response solution can keep your business safe.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Analytics startup Heap raises $55M

Since co-founding Heap, CEO Matin Movassate has been saying that he wants to take on the analytics incumbents. Today, he’s got more money to fund that challenge, with the announcement that Heap has raised $55 million in Series C funding.

Movassate (pictured above) previously worked as a product manager at Facebook, and when I interviewed him after the startup’s Series B, he recalled the circuitous process normally required to collect and analyze user data. In contrast, Heap automatically collects data on user activity — the goal is to capture literally everything — and makes it available in a self-serve way, with no additional code required to answer new queries.

The company says it now has more than 6,000 customers, including Twilio, AppNexus, Harry’s, WeWork and Microsoft.

With this new funding, Heap has raised a total of $95.2 million. The plan is to fund international growth, as well as expand the product, engineering and go-to-market teams.

The Series C was led by NewView Capital, with participation from new DTCP, Maverick Ventures, Triangle Peak Partners, Alliance Bernstein Private Credit Investors, Sharespost and existing investors (NEA, Menlo Ventures, Initialized Capital and Pear VC). NewView founder and managing partner Ravi Viswanathan is joining the startup’s board of directors.

“Heap offers an innovative approach to automating a company’s analytics, enabling a variety of teams within an organization to obtain the data they need to make educated and, ultimately, smarter decisions,” Viswanathan said in a statement. “We are excited to team up with Heap, as they continue to develop their cutting edge software, expand their analytics automation offerings and help serve their growing numbers of customers.”

CircleCI closes $56M Series D investment as market for continuous delivery expands

CircleCI launched way back in 2011 when the notion of continuous delivery was just a twinkle in most developers’ eyes, but over the years with the rise of agile, containerization and DevOps, we’ve seen the idea of continuous integration and continuous delivery (CI/CD) really begin to mainstream with developers. Today, CircleCI was rewarded with a $56 million Series D investment.

The round was led by Owl Rock Capital Partners and Next Equity. Existing investors Scale Venture Partners, Top Tier Capital, Threshold Ventures (formerly DFJ), Baseline Ventures, Industry Ventures, Heavybit and Harrison Metal Capital also participated in the round. CircleCI’s most recent funding prior to this round was a $31 million Series C last January. Today’s investment brings the total raised to $115.5 million, according to the company.

CircleCI CEO Jim Rose sees a market that’s increasingly ready for the product his company is offering. “As we’re putting more money to work, there are just more folks that are now moving away from aspiring about doing continuous delivery and really leaning into the idea of, ‘We’re a software company, we need to know how to do this well, and we need to be able to automate all the steps between the time our developers are making changes to the code until that application gets in front of the customer,’ ” Rose told TechCrunch.

Rose sees a market that’s getting ready to explode and he wants to use the runway this money provides his company to take advantage of that growth. “Now, what we’re finding is that fintech companies, insurance companies, retailers — all of the more traditional brands — are now realizing they’re in a software business as well. And they’re really trying to build out the tool sets and the expertise to be effective at that. And so the real growth in our market is still right in front of us,” he said.

As CircleCI matures and the market follows suit, a natural question following a Series D investment is when the company might go public, but Rose was not ready to commit to anything yet. “We come at it from the perspective of keeping our heads down trying to build the best business and doing right by our customers. I’m sure at some point along the journey our investors will be itching for liquidity, but as it stands right now, everyone is really [focused]. I think what we have found is that the bulk of the market is just starting to arrive,” he said.

Arrcus snags $30M Series B as it tries to disrupt networking biz

Arrcus has a bold notion to try and take on the biggest names in networking by building a better networking management system. Today it was rewarded with a $30 million Series B investment led by Lightspeed Venture Partners.

Existing investors General Catalyst and Clear Ventures also participated. The company previously raised a seed and Series A totaling $19 million, bringing the total raised to date to $49 million, according to numbers provided by the company.

Founder and CEO Devesh Garg says the company wanted to create a product that would transform the networking industry, which has traditionally been controlled by a few companies. “The idea basically is to give you the best-in-class [networking] software with the most flexible consumption model at the lowest overall total cost of ownership. So you really as an end customer have the choice to choose best-in-class solutions,” Garg told TechCrunch.

This involves building a networking operating system called ArcOS to run the networking environment. For now, that means working with manufacturers of white-box solutions and offering some combination of hardware and software, depending on what the customer requires. Garg says that players at the top of the market like Cisco, Arista and Juniper tend to keep their technical specifications to themselves, making it impossible to integrate ArcOS with those companies at this time, but he sees room for a company like Arrcus .

“Fundamentally, this is a very large marketplace that’s controlled by two or three incumbents, and when you have lack of competition you get all of the traditional bad behavior that comes along with that, including muted innovation, rigidity in terms of the solutions that are provided and these legacy procurement models, where there’s not much flexibility with artificially high pricing,” he explained.

The company hopes to fundamentally change the current system with its solutions, taking advantage of unbranded hardware that offers a similar experience but can run the Arrcus software. “Think of them as white-box manufacturers of switches and routers. Oftentimes, they come from Taiwan, where they’re unbranded, but it’s effectively the same components that are used in the same systems that are used by the [incumbents],” he said.

The approach seems to be working, as the company has grown to 50 employees since it launched in 2016. Garg says that he expects to double that number in the next six-nine months with the new funding. Currently the company has double-digit paying customers and more than 20 in various stages of proofs of concepts, he said.

Duo’s Wendy Nather to talk security at TC Sessions: Enterprise

When it comes to enterprise security, how do you move fast without breaking things?

Enter Duo’s Wendy Nather, who will join us at TC Sessions: Enterprise in San Francisco on September 5, where we will get the inside track on how to keep enterprise networks secure without slowing growth.

Nather is head of advisory CISOs at Duo Security, a Cisco company, and one of the most respected and trusted voices in the cybersecurity community as a regular speaker on a range of topics, from threat intelligence to risk analysis, incident response, data security and privacy issues.

Prior to her role at Duo, she was the research director at the Retail ISAC, and served as the research director of the Information Security Practice at independent analyst firm 451 Research.

She also led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation — now UBS.

Nather also co-authored “The Cloud Security Rules,” and was listed as one of SC Magazine’s Women in IT Security “Power Players” in 2014.

We’re excited to have Nather discuss some of the challenges startups and enterprises face in security — threats from both inside and outside the firewall. Companies large and small face similar challenges, from keeping data in to keeping hackers out. How do companies navigate the litany of issues and threats without hampering growth?

Who else will we have onstage, you ask? Good question! We’ll be joined by some of the biggest names and the smartest and most prescient people in the industry, including Bill McDermott at SAP, Scott Farquhar at Atlassian, Julie Larson-Green at Qualtrics, Aaron Levie at Box and Andrew Ng at Landing AI and many, many more. See the whole agenda right here.

Early-bird tickets are on sale right now! For just $249 you can see Nather and these other awesome speakers live at TC Sessions: Enterprise. But hurry, early-bird sales end on August 9; after that, prices jump up by $100. Book here.

If you’re a student on a budget, don’t worry, we’ve got a super-reduced ticket for just $75 when you apply for a student ticket right here.

Enterprise-focused startups can bring the whole crew when you book a Startup Demo table for just $2,000. Each table gives you a primo location to be seen by attendees, investors and other sponsors, in addition to four tickets to enjoy the show. We only have a limited amount of demo tables and we will sell out. Book yours here.

Airbud raises $4 million to add a voice interface to your website

Amazon’s Alexa ushered in a new dawn of user interfaces, bringing voice into the mix as a viable option. Dozens of companies have sprouted because of this, not least of which being Airbud.io.

Airbud allows any company to add a voice interface to its website. The company just closed a $4 million round led by Hanaco Ventures, with participation from ERA and Spider Capital.

Airbud was co-founded by Israel Krush, Uri Valevski and Rom Cohen after the team saw the growth of voice interfaces and wondered how to capitalize on it.

By allowing companies to add voice/chat bot utility to their websites, Airbud hopes to increase retention of end-users on sites and give them easier access to the information they seek. Krush says that Airbud is focusing on websites that you have to be on, rather than the ones you want to be on.

That means Airbud clients are mostly in the healthcare space and travel space, helping end-users find a physician or book a flight using their voice.

Most importantly, Airbud operates on a plug and play system, meaning that clients don’t have to do the usual heavy lifting involved in creating a chat bot. Most of the time, folks who implement chatbots have to build a conversation tree. Airbud uses existing information scraped from the website, paired with an easy plug-and-play system for clients, to automatically build out a knowledge graph and have conversations with end-users.

Airbud charges based on the number of indexed pages and traffic to those pages.

The company plans to use the funding to increase the size of its team from seven to 15.

Ethyca raises $4.2M to simplify GDPR compliance

GDPR, the European data privacy regulations, have been in effect for more than a year, but it’s still a challenge for companies to comply. Ethyca, a New York City startup, has created a solution from the ground up to help customers adhere to the regulations, and today it announced a $4.2 million investment led by IA Ventures and Founder Collective.

Table Management, Sinai Ventures, Cheddar founder Jon Steinberg and Moat co-founder Jonah Goodhart also participated.

At its heart, Ethyca is a data platform that helps companies discover sensitive data, then provides a mechanism for customers to see, edit or delete their data from the system. Finally, the solution enables companies to define who can see particular types of data across the organization to control access. All of these components are designed to help companies comply with GDPR regulations.

ethyca enterprise transaction log

Ethyca enterprise transaction log (Screenshot: Ethyca)

Company co-founder Cillian Kieran says that the automation component is key and should greatly reduce the complexity and cost associated with complying with GDPR rules. From his perspective, current solutions that involve either expensive consultants or solutions that require some manual intervention don’t get companies all the way there.

“These solutions don’t actually solve the issue from an infrastructure point of view. I think that’s the distinction. You can go and use the consultants, or you can use a control panel that tells you what you need to do. But ultimately, at some point you’re either going to have to build or deploy code that fixes some issues, or indeed manually manage or remediate those [issues]. Ethyca is designed for that and takes away those risks because it is managing privacy by design at the infrastructure level,” Kieran explained.

If you’re worried about the privacy of providing information like this to a third-party vendor, Kieran says that his company never actually sees the raw data. “We are a suite of tools that sits between business processes. We don’t capture raw data, We don’t see personal information. We find information based on unique identifiers,” he said.

The company has been around for more than a year, but has been spending its first year developing the solution. He sees this investment as validation of the problem his startup is trying to solve. “I think the investment represents the growing awareness fundamentally from both with the investor community, and also in the tech world, that data privacy as a regulatory constraint is real and will compound itself,” he said.

He also points out that GDPR is really just the tip of the privacy regulation iceberg, with laws in Australia, Brazil and Japan, as well as California and other states in the U.S. due to come online next year. He says his solution has been designed to deal with a variety of privacy frameworks beyond GDPR. If that’s so, his company could be in a good position moving forward.

CrunchMatch simplifies networking at TC Sessions: Enterprise 2019

Get ready to experience world-class networking TechCrunch-style at TC Sessions: Enterprise 2019. On September 5, more than 1,000 of the top enterprise software minds and makers, movers and shakers will descend on San Francisco’s Yerba Buena Center for the Arts. It’s a day-long conference featuring distinguished speakers, panel discussions, demos and workshops.

It’s also a prime opportunity to connect and build relationships with enterprise software founders, technologists and investors. Make the most of that opportunity by using CrunchMatch, our free business match-making service.

The automated platform lets you find people based on specific mutual business criteria, goals and interests. It helps you sift through the noise and make the most of your valuable time. After all, connecting with the right people produces better results.

Here’s how CrunchMatch (powered by Brella) works. When CrunchMatch goes live — several weeks before the main event — we’ll email a sign-up link to all ticket holders. You’ll be able to access the platform and create a profile with your specific details — your role (technologist, founder, investor, etc.) and a description of the types of people you want to connect with at the event.

CrunchMatch works its algorithmic magic and suggests meetings, which you can then vet, approve and schedule or decline. It’s an efficient and productive way to network. Take a look at how CrunchMatch helped Yoolox increase distribution.

All that time-saving efficiency will free you up to enjoy more of the presentations and hear from speakers like the renowned founder, investor, AI expert and Stanford professor, Andrew Ng. You won’t want to miss his take on how AI will transform the enterprise world — like nothing else since the cloud and SaaS. And that’s just a taste of what you can expect.

If you haven’t already done so, buy your tickets now and save $100 before the prices go up on August 9. Early-bird tickets cost $249 and student tickets sell for $75. Buy 4+ tickets to get the group rate and save another 20%.

ROI tip: For every ticket you buy to TC Sessions: Enterprise, we’ll register you for a free Expo-only pass to TechCrunch Disrupt SF 2019.

We can’t wait to see you at TC Sessions: Enterprise 2019 in San Francisco on September 5. Join your community, explore the top enterprise trends and companies and make productive connections with the influential people who can help you reach your goals. Buy your ticket today.

Interested in sponsoring TC Sessions: Enterprise? Fill out this form and a member of our sales team will contact you.

Nearly a third of US households don’t have a broadband connection

Over the past several years, many have suggested that broadband internet should be regarded as a public utility, like water or gas. Staying connected has become an essential part of nearly every facet of life, but according to a new report, high-speed connections may not be as prevalent here in the States as you may think.

In its new Rural America and Technology study, NPD notes that 31% of U.S. households don’t have broadband (25Mbps downloads and up) internet connections. The number works out to roughly 100 million per the report. That figure, unsurprisingly, is highly concentrated in rural areas — less than one-fifth of that population has a broadband connection.

While broadband was considered something of a luxury in the not so distant past, it’s grown into an increasingly essential aspect of modern existence, from work to health to entertainment. The concentration of access to the technology in urban versus rural areas has been a major aspect in what analysts have referred to as the “digital divide.” Rural areas make up nearly 97% of the total U.S. land.

On the upside, the report suggests that 5G could have a profound impact on those numbers. “The roll out of 5G will have a significant impact in rural America, disrupting the limited broadband carrier market and delivering broadband to many households that have not previously had access,” NPD’s Eddie Hold said in a statement released with the report. “This will inevitably provide an opportunity for manufacturers and retailers to reach new consumers with advanced devices.”

Given the speed and spottiness with which the technology has been rolled out thus far, however, coupled with the high prices of first-generation handsets, it will likely take several years before that comes to pass.

The Unsexy Threat to Election Security

Much has been written about the need to further secure our elections, from ensuring the integrity of voting machines to combating fake news. But according to a report quietly issued by a California grand jury this week, more attention needs to be paid to securing social media and email accounts used by election officials at the state and local level.

California has a civil grand jury system designed to serve as an independent oversight of local government functions, and each county impanels jurors to perform this service annually. On Wednesday, a grand jury from San Mateo County in northern California released a report which envisions the havoc that might be wrought on the election process if malicious hackers were able to hijack social media and/or email accounts and disseminate false voting instructions or phony election results.

“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public,” the report reads.

“Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report continues. “Alternatively, imagine that a hacker hijacks the County’s elections website before an election and circulates false voting instructions designed to frustrate the efforts of some voters to participate in the election. In that case, the interference could affect the election outcome, or at least call the results into question.”

In San Mateo County, the office of the Assessor-County Clerk-Recorder and Elections (ACRE) is responsible for carrying out elections and announcing local results. The ACRE sends election information to some 43,000 registered voters who’ve subscribed to receive sample ballots and voter information, and its Web site publishes voter eligibility information along with instructions on how and where to cast ballots.

The report notes that concerns about the security of these channels is hardly theoretical: In 2010, intruders hijacked ACRE’s election results Web page, and in 2016, cyber thieves successfully breached several county employee email accounts in a spear-phishing attack.

In the wake of the 2016 attack, San Mateo County instituted two-factor authentication for its email accounts — requiring each user to log in with a password and a one-time code sent via text message to their mobile device. However, the county uses its own Twitter, Facebook, Instagram and YouTube accounts to share election information, and these accounts are not currently secured by two-factor authentication, the report found.

“The Grand Jury finds that the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure.”

The jury recommended the county take full advantage of the most secure two-factor authentication now offered by all of these social media platforms: The use of a FIDO physical security key, a small hardware device which allows the user to complete the login process simply by inserting the USB device and pressing a button. The key works without the need for any special software drivers [full disclosure: Yubico, a major manufacturer of security keys, is currently an advertiser on this site.]

Additionally, the report urges election officials to migrate away from one-time codes sent via text message, as these can be intercepted via man-in-the-middle (MitM) and SIM-swapping attacks.  MitM attacks use counterfeit login pages to steal credentials and one-time codes.

An unauthorized SIM swap is an increasingly rampant form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Samy Tarazi is a sergeant with the sheriff’s office in nearby Santa Clara County and a supervisor with the REACT Task Force, a team of law enforcement officers that has been tracking down individuals perpetrating SIM swapping attacks. Tarazi said he fully expects SIM swapping to emerge as a real threat to state and local election workers, as well as to staff and volunteers working for candidates.

“I wouldn’t be surprised if some major candidate or their staff has an email or social media account with tons of important stuff on there [whose password] can be reset with just a text message,” Tarazi told KrebsOnSecurity. “I hope that doesn’t happen, but politicians are regular people who use the same tools we use.”

A copy of the San Mateo County grand jury report is available here (PDF).