MegaCortex Ransomware Spotted Attacking Enterprise Networks
- Wiadomości bezpieczeństwa
Archived: 2026-04-05 15:41:45 UTC
A new ransomware called MegaCortex (Trend Micro detects
this as RANSOM.WIN32.CORTEX.SM) has been reportedly deployed open on a new tabagainst large corporate
networks and workstations in the United States, Canada and parts of Europe. Cybersecurity firm Sophosopen on a
new tab first reported a sharp spike in MegaCortex activity last Friday noting that 47 attacks were stopped within
48 hours, which is two-thirds of all known incidents involving this ransomware. This recent surge isn’t the earliest
encounter with the ransomware — the first known sample was uploaded on January in the public sharing site
VirusTotal.
How MegaCortex works
At least one victim reported that the attack originated from compromised domain controllers inside the enterprise
network, but it isn’t clear how the ransomware distributors gained access to the networks.
After gaining access to the domain controller, the attackers configured it to distribute a batch file, a renamed
PsExec, and winnit.exe, which is one of the main executables of the malware, to the rest of the computers on the
network. After this step, they run the batch file remotely. This file will terminate Windows processes as well as
stop and disable services that will interfere with the ransomware's routines.
https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
Page 1 of 4

https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
Page 2 of 4

Figure 1. Infection chain of MegaCortex 
The batch file then executes winnit.exe, the core malware file, during a specific time frame and with specific
Base64 argument. If executed properly, the malware will search files for encryption and drop a ransom note. It
will also extract a randomly-named DLL and execute it with rundll32.exe. This DLL is the component that will
encrypt the computer’s files. It will first check if the file is accessible. If not, it will simply log the files. If it is
accessible, the file will be encrypted, the child DLL process will be terminated after a set number of file
encryption attempts, and the cycle will start again.
When encrypting the victim’s files, the ransomware will append the extension .aes128ctr. According to Sophos,
the ransomware will also generate a file with a .tsv extension and drop it in the hard drive. The MegaCortex actors'
ransom note instructs the users to submit this file to them because it contains encrypted session keys needed for
decryption. The ransom note itself is a .txt file that doesn’t ask for the usual cryptocurrency payment, instead it
demands that victims buy the actor’s software.
In addition to the main payload, the malware also drops secondary componentsopen on a new tab that security
researchers have identified as the Rietspoof malware, a delivery system used to drop multiple payloads onto a
device.
Defending against ransomware
Users and businesses are recommended to adopt best practicesopen on a new tab to defend against ransomware:
Regularly back up filesopen on a new tab, keep the system and applications updatedopen on a new tab, enforce the
principle of least privilegeopen on a new tab, and implement defense in depth — arraying security at each layer of
a company’s online perimeters, from gatewaysopen on a new tab, networksopen on a new tab, endpointsopen on a
new tab, and serversopen on a new tab.
Trend Micro Ransomware Solutions
Enterprises can benefit from a multilayered approach to best mitigate the risks brought by ransomware. At the
endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine
learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this
threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro™
Deep Security™ stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud. 
Trend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects
endpoints from threats that exploit unpatched vulnerabilities to deliver ransomware.
Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™
Web Security prevent ransomware from ever reaching end users. Trend Micro’s Cloud App
Securityproducts (CAS) can help enhance the security of Office 365 apps and other cloud services by using
cutting-edge sandbox malware analysis for ransomware and other advanced threats.
https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
Page 3 of 4

These solutions are powered by Trend Micro XGen™ securityproducts, which provides a cross-generational blend
of threat defense techniques against a full range of threats for data centersproducts, cloud
environmentsproducts, networksproducts, and endpointsproducts. Smart, optimized, and connected, XGen™
powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. 
Updated as of May 15, 2019 9:30AM:  Added image and information about MegaCortex infection chain
HIDE
Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your
page (Ctrl+V).
Image will appear the same size as you see above.
Polecamy
The Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article
Complexity and Visibility Gaps in Power Automatenews article
Cracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article
Azure Control Plane Threat Detection With TrendAI Vision One™news article
Ransomware Spotlight: DragonForcenews article
Trend 2025 Cyber Risk Reportnews article
Stay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article
The Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article
Source: https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterpri
se-networks
https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
Page 4 of 4