Megazord Ransomware Attacking Healthcare And Government Entities

Hackers primarily use ransomware to gain financial gain from their victims by blackmailing them for payments to recover their encrypted files and systems.

However, ransomware can also be weaponized as a destructive cyber weapon that creates confusion in critical infrastructures.

Megazord ransomware has been actively attacking healthcare and government entities.

Megazord Ransomware Attack

In addition, ransomware can also be deployed by some threat actors who steal data that is then sold on deep web markets or used for carrying out further extortions.

Certain hackers may be driven by political reasons to deploy ransomware against enemy countries or ideological enemies.

Megazord is a Rust-coded ransomware targeting healthcare, education, and government. Initial access originates from spear-phishing and exploiting vulnerabilities.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

It uses RDP and IP scanners to detect lateral movement within victims. Post-compromise terminates processes and services before encrypting local data storage and files.

It primarily focuses attacks on critical sectors like healthcare.

Files encrypted with the “POWERRANGES” extension include a ransom note named “powerranges.txt” in each affected folder. The note directs victims to contact the threat actor via the TOX messenger using a unique Telegram channel link. 

Various industries are indiscriminately targeted by Megazord operators, who seek initial entry through techniques such as spear phishing and exploiting vulnerabilities.

They utilize LOLBINS and existing infrastructure to extend their stay on a network using Remote Desktop Protocol (RDP), Advanced IP Scanner, and NET.EXE for moving laterally.

Megazord terminates numerous processes and services at execution to facilitate encryption done by separate CMD.EXE instances and looks for local virtual machines in an attempt to terminate them.

Apart from this, the Megazord shares several code similarities with Akira, which is why it is thought to be linked to Akira ransomware.

Moreover, the Symantec detection covers signatures like:-

File-Based

  • Ransom.Akira!g2
  • Trojan.Gen.MBT
  • W97M.Downloader
  • WS.Malware.1

Machine Learning-Based

  • Heur.AdvML.A!300
  • Heur.AdvML.B
  • Heur.AdvML.B!100
  • Heur.AdvML.B!200

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.