MegaCortex Ransomware Targeting Business Networks

Posted by & filed under Security Alerts.

A new ransomware has been discovered called MegaCortex that is targeting corporate networks and the workstations on them. Once a network is penetrated, the attackers infect the entire network by distributing the ransomware using Windows domain controllers.

In a new report, Sophos has stated that they have seen customers in the United States, Italy, Canada, France, the Netherlands, and Ireland being infected with this new ransomware.

As this is a fairly new ransomware, not much is currently known about its encryption algorithms, exactly how attackers are gaining access to a network, and whether ransom payments are being honored.

The MegaCortex Ransomware

As Sophos has found that the Emotet or Qakbot Trojans have been present on networks that have also been infected with MegaCortex, it may suggest that the attackers are paying Trojan operators for access to infected systems in a similar manner as Ryuk.

“Right now, we can’t say for certain whether the MegaCortex attacks are being aided and abetted by the Emotet malware, but so far in our investigation (which is still ongoing as this post goes live), there seems to be a correlation between the MegaCortex attacks and the presence on the same network of both Emotet and Qbot (aka Qakbot) malware.”

While it is not 100% clear how bad actors are gaining access to a network, victims have reported to Sophos that the attacks originate from a compromised domain controller.

On the domain controller, Cobolt Strike is being dropped and executed to create a reverse shell back to an attacker’s host.

Using this shell, the attackers remotely gain access to the domain controller and configure it to distribute a copy of PsExec, the main malware executable, and a batch file to all of the computers on the network. It then executes the batch file remotely via PsExec.

The batch files seen by Sophos will terminate 44 different processes, stop 199 Windows services, and disable 194 services.

Batch File Killing Processe


After stopping all services that prevent the malware from running or files from being encrypted, the batch file will execute the main malware file called winnit.exe.

Executing Ransomware Component


Sophos researcher Andrew Brandt said that the winnit.exe executable will be launched with base64 encoded string as an argument. Using the correct argument will cause the malware to extract a random named DLL and execute it using rundll32.exe.

This DLL is the actual ransomware component that encrypts a computer.

When encrypting a computer, the ransomware will append an extension, which in one case is .aes128ctr,  to encrypted file’s names. This means that a file named marketing.doc would be encrypted and renamed to marketing.doc.aes128ctr. It is not known if these extensions are static.

It will also create a file using the same name as the random DLL and append the .tsv extension, such as arbcxdfx.tsv. At the top of this file will be a base64 encoded string, which may be the encrypted decryption key.

For each file that is encrypted, it will add the filename to the tsv file as well as a base64 encoded string and two 40 hexadecimal character strings separated by spaces using the format below.

[file name] [base64 encoded string] [40 hex character string] [40 hex character string] 

It is not known what this data represents, but the attacker states they are encrypted “session keys” required to decrypt a victim’s computer.

Finally, the ransomware creates a ransom note named !!!_READ_ME_!!!.txt that contain information explaining what happened and emails addresses that can be used to contact the attackers. The email addresses are currently and

MegaCortex Ransom Note

Secondary payloads present

In addition to the the MegaCortex Ransomware payload, Sophos has found what they call “Secondary main components” on the computer. Hashes of some of these payloads are listed at the end of Sophos’ report.

Security researcher Vitali Kremez examined some of these secondary payloads and explained that these files are Rietspoof.

Rietspoof is a multi-stage delivery system that is used to drop multiple malware payloads on a computer. Due to this it is not known, if this is the malware dropping MegaCortex or if its being installed as a secondary payload along with it.

Promises a cyber security consultation

As part of the deal for making a ransom payment, the MegaCortex developers state that they will never bother them again. Even better, they will offer them a free cyber security consultation.

“The softwares price will include a guarantee that your company will never be inconvenienced by us. You will also receive a consultation on how to improve your companies cyber security.”

While I am not sure any victim would want a consultation by their attackers, it is possible they would be willing to explain how they gained access to the computer.

Protecting yourself from the MegaCortex Ransomware

As ransomware is only damaging if you have no way of recovering your data, the most important thing is to always have a reliable backup of your files. These backups should be stored offline and not made accessible to ransomware, which have been known to target backups in the past.

While this ransomware is not being spread via spam, it is possible that it is being installed by Trojans that are. Therefore, it is important that all users be trained on how to properly identify malicious spam and to not open any attachments without first confirming who and why they were sent.

Finally, it also important to make sure that your network does not make Remote Desktop Services publicly accessible via the Internet. Instead, you should put it behind a firewall and make it only accessible through a VPN.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.