FBI Warning and Recommendations Concerning the LockerGaga and MegaCortex Ransomware Attacks

The FBI announced a TLP:Amber alert because of the outbreak of cyberattacks using the ransomware MegaCortex and LockerGaga variants. The threat actors use these ransomware variants to target big enterprises and businesses and normally deploy the ransomware a few months after the compromise of a network.

The first detected attack using LockerGaga was in January 2019. The MegaCortex ransomware, on the other hand, first showed up in May 2019. The two ransomware variants present the same IoCs and have the same C2 infrastructure. Both are employed in attacks targeting large business networks.

Known ransomware attacks using LockerGaga include the attacks on the American chemical firms Hexion and Momentive, Norsk Hydro (an aluminum and energy firm), and the Altran Technologies engineering consulting company. Ransomware attacks using MegaCortex include those on the Wolters Kluwer accounting software company and the iNSYNQ cloud hosting company. The threat actors are cautious, systematic, and try to bring about maximum damage so that victims will be more likely to pay the ransom demand, that often amounts to hundreds of thousands of dollars.

According to the FBI warning, the preliminary compromise is accomplished by means of different methods such as phishing attacks, exploiting unpatched vulnerabilities, SQL injection, brute force techniques on RDP, and using stolen credentials. After the compromise, the attackers run batch files to halt processes and services employed by security solutions to hide their presence. The attackers work sideways to compromise the most number of devices using a penetration testing device known as Cobalt Strike, living-of-the-land Windows binaries, and legit software applications like Mimikatz. The attacker adds a beacon to every compromised device on the system, which is employed to carry out PowerShell scripts, elevate privileges, and spawn a new session to operate as a listener on the victim’s network.

Contrary to a lot of other threat actors who use ransomware shortly after the compromise of a system, the threat actors responsible for these attacks frequently wait a couple of months before triggering the ransomware encryption routine. It is not known what exactly the threat actors do at that time, however it is probable the time is utilized for stealing sensitive information. The ransomware is used in the last stage of the attack as soon as the attackers got all the valuable information of the victims.

The FBI offered standard advice to boost defenses for stopping ransomware and other cyberattacks. The following cybersecurity best practices must be implemented:

  • back up data on a regular basis
  • store copies of backup data on non-networked devices
  • test backups to confirm file recovery
  • set strong passwords
  • patch promptly
  • enable multi-factor authentication, particularly on admin accounts
  • make sure RDP servers could be accessed through a VPN only
  • deactivate SMBv1
  • scan for open ports and block them to make them inaccessible

The FBI additionally recommends the audit of new accounts created and monitoring the Active Directory for modifications to approved users; permitting PowerShell logging and monitoring odd commands, which include executing Base64 encoded PowerShell; and making sure that only the most recent version of PowerShell is set up.