{ "id": "806ac506-87bc-41fd-a106-35f27947a3cf", "created_at": "2026-04-06T01:31:36.967675Z", "updated_at": "2026-04-10T13:13:10.187968Z", "deleted_at": null, "sha1_hash": "4d648be2d8968c2db12c44ae5e0aa10d21822621", "title": "Ransom.Megacortex | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 152796, "plain_text": "Ransom.Megacortex | Malwarebytes Labs\r\nArchived: 2026-04-06 00:56:56 UTC\r\nShort bio\r\nRansom.Megacortex is Malwarebytes’ detection name for a small family of ransomware that is used in targeted\r\nattacks on enterprises.\r\nSymptoms\r\nRansom.Megacortex tries to stop several processes that belong to security software.\r\nRansom.MegaCortex adds the extension .aes128ctr to the encrypted files.\r\nWhen the encryption routine has completed it will show a ransom note which mentions a tsv file in the root\r\ndirectory and two email addresses.\r\nType and source of infection\r\nRansom.Megacortex is ransomware. Ransomware is a type of malware that prevents users from accessing their\r\nsystem or personal files and demands ransom payment in order to regain access. Ransom.Megacortex is\r\nintroduced on enterprise networks by use of stolen or leaked administrative credentials. There are also some\r\nreports of the threat actors using Trojan downloaders that are spread through instant messaging networks. These\r\nare spread and then used to download and install the ransomware.\r\nhttps://blog.malwarebytes.com/detections/ransom-megacortex/\r\nPage 1 of 4\n\nProtection\r\nMalwarebytes blocks Ransom.Megacortex\r\nBusiness remediation\r\nMalwarebytes can detect and remove Ransom.Megacortex on business machines without further user interaction.\r\nTo remove Ransom.Megacortex using Malwarebytes business products, follow the instructions below.\r\nHow to remove Ransom.Megacortex with Malwarebytes Endpoint Protection\r\n1. Go to the Malwarebytes Cloud console.\r\n2. To allow you to invoke a scan while the machine is off the network, go to Settings \u003e Policies \u003e your\r\npolicy \u003e General.\r\n3. Under Endpoint Interface Options, turn ON:\r\n1. Show Malwarebytes icon in notification area\r\n2. Allow users to run a Threat Scan (all threats will be quarantined automatically)\r\n4. Once the endpoint has been updated with the latest policy changes: take the client off the network\r\nhttps://blog.malwarebytes.com/detections/ransom-megacortex/\r\nPage 2 of 4\n\nIf you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can\r\nremove Ransom.Megacortex with our Breach Remediation tool (MBBR).\r\n1. Log into your My Account page and copy your license key. The key is needed to activate MBBR tool.\r\n2. Open your Cloud console.\r\n3. From a clean and safe machine, go to Endpoints \u003e Add \u003e Malwarebytes Breach Remediation. This will\r\ndownload the MBBR zip package.\r\n4. Unzip the package.\r\n5. Access a Windows command line prompt and issue the following commands: mbbr register –key: mbbr\r\nupdate Note: You must substitute your license key for .\r\n6. Copy the MBBR folder to a flash drive.\r\n7. From an infected, offline machine, copy the MBBR folder from the flash drive.\r\n8. Start a scan using the following command: mbbr scan –full –ark –remove –noreboot\r\n9. Refer to the Malwarebytes Breach Remediation Windows Administrator Guide for all supported scanning\r\ncommands.\r\nConsumer remediation\r\nMalwarebytes can detect and remove Ransom.Megacortex without further user interaction.\r\n1. Please download Malwarebytes to your desktop.\r\n2. Double-click MBSetup.exe and follow the prompts to install the program.\r\n3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to\r\nMalwarebytes screen.\r\n4. Click on the Get started button.\r\n5. Click Scan to start a Threat Scan.\r\n6. Click Quarantine to remove the found threats.\r\n7. Reboot the system if prompted to complete the removal process.\r\nTake note, however, that removing this ransomware does not decrypt your files. You can only get your files back\r\nfrom backups you made before the infection happened.\r\nIOCs\r\nIP address:\r\n89.105.198.28\r\nFilename:\r\nwinnit.exe\r\nFile hashes: 5e973e6096174590ed667c4f5e4dc3e4 c8d78aeaa3d0daefa3b916457b529bfe\r\nea153f0de16bbdd1abd0a669cb126007 e0c75ef549db413ae5acde363977584a Ransom note:\r\n!!!_READ_ME_!!!.txt Key file: c:********.tsv  (********= 8 random characters)\r\nhttps://blog.malwarebytes.com/detections/ransom-megacortex/\r\nPage 3 of 4\n\nSource: https://blog.malwarebytes.com/detections/ransom-megacortex/\r\nhttps://blog.malwarebytes.com/detections/ransom-megacortex/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/detections/ransom-megacortex/" ], "report_names": [ "ransom-megacortex" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439096, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d648be2d8968c2db12c44ae5e0aa10d21822621.pdf", "text": "https://archive.orkl.eu/4d648be2d8968c2db12c44ae5e0aa10d21822621.txt", "img": "https://archive.orkl.eu/4d648be2d8968c2db12c44ae5e0aa10d21822621.jpg" } }