{
	"id": "2593b152-6894-4113-93e3-5d70cd8cee4b",
	"created_at": "2026-04-06T00:17:35.862724Z",
	"updated_at": "2026-04-10T13:12:24.379154Z",
	"deleted_at": null,
	"sha1_hash": "0b0c1c433f214a8ed31af7bfd4887934e665b41b",
	"title": "MegaCortex Ransomware Spotted Attacking Enterprise Networks - Wiadomości bezpieczeństwa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 492172,
	"plain_text": "MegaCortex Ransomware Spotted Attacking Enterprise Networks\r\n- Wiadomości bezpieczeństwa\r\nArchived: 2026-04-05 15:41:45 UTC\r\nA new ransomware called MegaCortex (Trend Micro detects\r\nthis as RANSOM.WIN32.CORTEX.SM) has been reportedly deployed open on a new tabagainst large corporate\r\nnetworks and workstations in the United States, Canada and parts of Europe. Cybersecurity firm Sophosopen on a\r\nnew tab first reported a sharp spike in MegaCortex activity last Friday noting that 47 attacks were stopped within\r\n48 hours, which is two-thirds of all known incidents involving this ransomware. This recent surge isn’t the earliest\r\nencounter with the ransomware — the first known sample was uploaded on January in the public sharing site\r\nVirusTotal.\r\nHow MegaCortex works\r\nAt least one victim reported that the attack originated from compromised domain controllers inside the enterprise\r\nnetwork, but it isn’t clear how the ransomware distributors gained access to the networks.\r\nAfter gaining access to the domain controller, the attackers configured it to distribute a batch file, a renamed\r\nPsExec, and winnit.exe, which is one of the main executables of the malware, to the rest of the computers on the\r\nnetwork. After this step, they run the batch file remotely. This file will terminate Windows processes as well as\r\nstop and disable services that will interfere with the ransomware's routines.\r\nhttps://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\r\nPage 1 of 4\n\nhttps://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\r\nPage 2 of 4\n\nFigure 1. Infection chain of MegaCortex \r\nThe batch file then executes winnit.exe, the core malware file, during a specific time frame and with specific\r\nBase64 argument. If executed properly, the malware will search files for encryption and drop a ransom note. It\r\nwill also extract a randomly-named DLL and execute it with rundll32.exe. This DLL is the component that will\r\nencrypt the computer’s files. It will first check if the file is accessible. If not, it will simply log the files. If it is\r\naccessible, the file will be encrypted, the child DLL process will be terminated after a set number of file\r\nencryption attempts, and the cycle will start again.\r\nWhen encrypting the victim’s files, the ransomware will append the extension .aes128ctr. According to Sophos,\r\nthe ransomware will also generate a file with a .tsv extension and drop it in the hard drive. The MegaCortex actors'\r\nransom note instructs the users to submit this file to them because it contains encrypted session keys needed for\r\ndecryption. The ransom note itself is a .txt file that doesn’t ask for the usual cryptocurrency payment, instead it\r\ndemands that victims buy the actor’s software.\r\nIn addition to the main payload, the malware also drops secondary componentsopen on a new tab that security\r\nresearchers have identified as the Rietspoof malware, a delivery system used to drop multiple payloads onto a\r\ndevice.\r\nDefending against ransomware\r\nUsers and businesses are recommended to adopt best practicesopen on a new tab to defend against ransomware:\r\nRegularly back up filesopen on a new tab, keep the system and applications updatedopen on a new tab, enforce the\r\nprinciple of least privilegeopen on a new tab, and implement defense in depth — arraying security at each layer of\r\na company’s online perimeters, from gatewaysopen on a new tab, networksopen on a new tab, endpointsopen on a\r\nnew tab, and serversopen on a new tab.\r\nTrend Micro Ransomware Solutions\r\nEnterprises can benefit from a multilayered approach to best mitigate the risks brought by ransomware. At the\r\nendpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine\r\nlearning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this\r\nthreat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro™\r\nDeep Security™ stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud. \r\nTrend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects\r\nendpoints from threats that exploit unpatched vulnerabilities to deliver ransomware.\r\nEmail and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™\r\nWeb Security prevent ransomware from ever reaching end users. Trend Micro’s Cloud App\r\nSecurityproducts (CAS) can help enhance the security of Office 365 apps and other cloud services by using\r\ncutting-edge sandbox malware analysis for ransomware and other advanced threats.\r\nhttps://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\r\nPage 3 of 4\n\nThese solutions are powered by Trend Micro XGen™ securityproducts, which provides a cross-generational blend\r\nof threat defense techniques against a full range of threats for data centersproducts, cloud\r\nenvironmentsproducts, networksproducts, and endpointsproducts. Smart, optimized, and connected, XGen™\r\npowers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. \r\nUpdated as of May 15, 2019 9:30AM:  Added image and information about MegaCortex infection chain\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nPolecamy\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nRansomware Spotlight: DragonForcenews article\r\nTrend 2025 Cyber Risk Reportnews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterpri\r\nse-networks\r\nhttps://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks"
	],
	"report_names": [
		"megacortex-ransomware-spotted-attacking-enterprise-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434655,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b0c1c433f214a8ed31af7bfd4887934e665b41b.pdf",
		"text": "https://archive.orkl.eu/0b0c1c433f214a8ed31af7bfd4887934e665b41b.txt",
		"img": "https://archive.orkl.eu/0b0c1c433f214a8ed31af7bfd4887934e665b41b.jpg"
	}
}