Megazord Ransomware Attacking Healthcare And Government Entities

Hackers primarily use ransomware to gain financial gain from their victims by blackmailing them for payments to recover their encrypted files and systems.

However, ransomware can also be weaponized as a destructive cyber weapon that creates confusion in critical infrastructures.

Megazord ransomware has been actively attacking healthcare and government entities.

Megazord Ransomware Attack

In addition, ransomware can also be deployed by some threat actors who steal data that is then sold on deep web markets or used for carrying out further extortions.

Certain hackers may be driven by political reasons to deploy ransomware against enemy countries or ideological enemies.

Megazord is a Rust-coded ransomware targeting healthcare, education, and government. Initial access originates from spear-phishing and exploiting vulnerabilities.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

It uses RDP and IP scanners to detect lateral movement within victims. Post-compromise terminates processes and services before encrypting local data storage and files.

It primarily focuses attacks on critical sectors like healthcare.

Files encrypted with the “POWERRANGES” extension include a ransom note named “powerranges.txt” in each affected folder. The note directs victims to contact the threat actor via the TOX messenger using a unique Telegram channel link. 

Various industries are indiscriminately targeted by Megazord operators, who seek initial entry through techniques such as spear phishing and exploiting vulnerabilities.

They utilize LOLBINS and existing infrastructure to extend their stay on a network using Remote Desktop Protocol (RDP), Advanced IP Scanner, and NET.EXE for moving laterally.

Megazord terminates numerous processes and services at execution to facilitate encryption done by separate CMD.EXE instances and looks for local virtual machines in an attempt to terminate them.

Apart from this, the Megazord shares several code similarities with Akira, which is why it is thought to be linked to Akira ransomware.

Moreover, the Symantec detection covers signatures like:-


  • Ransom.Akira!g2
  • Trojan.Gen.MBT
  • W97M.Downloader
  • WS.Malware.1

Machine Learning-Based

  • Heur.AdvML.A!300
  • Heur.AdvML.B
  • Heur.AdvML.B!100
  • Heur.AdvML.B!200

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Raga Varshini

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

40 mins ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

45 mins ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

3 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

5 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

9 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

23 hours ago