{
	"id": "aba6f892-a1c5-48b3-a732-73416723473e",
	"created_at": "2026-04-06T00:10:21.690395Z",
	"updated_at": "2026-04-10T03:20:23.596532Z",
	"deleted_at": null,
	"sha1_hash": "c435d67a1a28716028252e5154167b6b7b65d7cd",
	"title": "Elusive MegaCortex Ransomware Found - Here is What We Know",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1987191,
	"plain_text": "Elusive MegaCortex Ransomware Found - Here is What We Know\r\nBy Lawrence Abrams\r\nPublished: 2019-07-19 · Archived: 2026-04-05 20:28:45 UTC\r\nA sample of the ransomware called MegaCortex that is known to target the enterprise in targeted attacks has been found and\r\nanalyzed. In this article, we will provide a brief look at the MegaCortex Ransomware and how it encrypts a computer.\r\nWhen modern ransomware were first released, attackers would distribute the malware in a wide net in order to catch as\r\nmany victims as possible. Over the past year, ransomware has evolved into more targeted enterprise attacks that have been\r\nearning extremely large payouts. Due to these payouts, we continue to see new players in the targeted ransomware scene.\r\nWhile Ryuk, BitPaymer, and Sodinokibi (REvil) have become commonly known as \"enterprise ransomware\", the\r\nMegaCortex Ransomware less known. This article will hopefully shed some light on how it operates.\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 1 of 10\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 2 of 10\n\nVisit Advertiser websiteGO TO PAGE\r\nInstalled via targeted attacks\r\nWe first heard about MegaCortex when Sophos reported that victims contacted them about being infected with a new\r\nransomware called MegaCortex.\r\nWhen Sophos analyzed the victim's computers, they found that the attackers were gaining access to a network and then\r\ncompromising the Windows domain controller. Once the domain controller was compromised the attackers would install\r\nCobalt Strike in order to open a reverse shell back to the attackers.\r\nNow that the attackers had full access to the network, they would use PsExec to distribute a batch file and the ransomware\r\nnamed as winnit.exe to the rest of the computers on the network. It would then execute this batch file in order to encrypt the\r\nvarious compromised workstations.\r\nPortion of batch file\r\nWhen launching the winnit.exe executable, a particular base64 encoded string would need to be provided in order for the\r\nransomware to extract and inject a DLL into memory. This DLL is the main ransomware component that encrypts a\r\ncomputer.\r\nIt is not known exactly how the attackers gained access to a network, but Sophos stated that the Emotet or Qakbot Trojans\r\nwere present on networks also infected with MegaCortex. \r\nThe MegaCortex encryption process\r\nIn a sample of MegaCortex discovered by MalwareHunterTeam, analyzed by Vitali Kremez, and shared with\r\nBleepingComputer, we are able to gain new insight into how the ransomware operates.\r\nThe particular sample that was found is code signed with a certificate from a UK company named \"ABADAN PIZZA\r\nLTD\". This company was probably abandoned and then claimed by the attackers under their own aliases in order to purchase\r\na certificate.\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 3 of 10\n\nCertificate used to sign ransomware\r\nIn this sample, it is no longer necessary to provide a special base64 encoded string for the DLL payload to be unpacked and\r\ninjected into memory. Now you can simply run the executable and the ransomware will begin encrypting the computer.\r\nKremez thinks this change was made in order to increase the scale of their operations and to simplify its execution.\r\n\"I think they are trying to scale their ops and reach more victims Simplifying their approach without multiple layered script\r\nexecution\" Kremez told BleepingComputer.\r\nWhen executed, MegaCortex will display a running output of the files processed and its current stage of operation. As you\r\ncan see by the output of the ransomware below, MegaCortex was designed to be monitored by a live attacker and then\r\ncleaned up after execution is finished.\r\nMegaCortex Encrypting Files\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 4 of 10\n\nKremez told BleepingComputer that when the executable is launched it will terminate or disable 1,396 different Windows\r\nservices and processes. These processes include security software, database servers, mail servers, and backup software. A\r\nfull list of disabled services and terminated processes can be found in Kremez's GitHub repository.\r\nThis termination process was previously done in a batch file, but is now integrated into the ransomware itself.\r\nThe ransomware will then begin to encrypt files on the victim's hard drives. When encrypting files, it will not encrypt any of\r\nthe following types of files, file names, or files under listed folders.\r\n.dll\r\n.exe\r\n.sys\r\n.mui\r\n.tmp\r\n.lnk\r\n.config\r\n.manifest\r\n.tlb\r\n.olb\r\n.blf\r\n.ico\r\n.regtrans-ms\r\n.devicemetadata-ms\r\n.settingcontent-ms\r\n.bat\r\n.cmd\r\n.ps1\r\ndesktop.ini\r\niconcache.db\r\nntuser.dat\r\nntuser.ini\r\nntuser.dat.log1\r\nntuser.dat.log2\r\nusrclass.dat\r\nusrclass.dat.log1\r\nusrclass.dat.log2\r\nbootmgr\r\nbootnxt\r\ntemp\\\r\n.+\\\\Microsoft\\\\(User Account Pictures|Windows\\\\(Explorer|Caches)|Device Stage\\\\Device|Windows)\\\\\r\nAs the ransomware encrypts a file it will append the .megac0rtx extension to the encrypted file's name. For example,\r\ntest.jpg will be encrypted and renamed to test.jpg.megac0rtx.\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 5 of 10\n\nFolder of MegaCortex Encrypted Files\r\nEach file that is encrypted, will also include the MEGA-G8= file marker as shown below.\r\nFile Marker in Encrypted Files\r\nAs its encrypting, the ransomware will also create a log file at C:\\x5gj5_gmG8.log that will contain a list of files that could\r\nnot be encrypted by the ransomware.\r\nWhen done encrypting files the ransomware will create a ransom note named !!!_READ-ME_!!!.txt and save it on the\r\nvictim's desktop. This ransom note contains emails that the victim can use to contact the attackers to find out payment\r\ninstructions. The note states that ransom amounts range anywhere from 2-3 bitcoins to 600 BTC.\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 6 of 10\n\nMegaCortex Ransom Note\r\nDuring its execution, the ransomware will also delete Shadow Volume Copies using the  vssadmin delete shadows /all\r\n/for=C:\\  command.\r\nIn addition, Kremez told BleepingComputer that there are references to the Windows  Cipher /W:  command, which is used\r\nto overwrite deleted data so that it cannot be recovered using file recovery software.\r\nNow that a sample has been found, the ransomware's encryption algorithm will be analyzed by researchers for weaknesses.\r\nIf anything new develops, we will update this article.\r\nRansom note may detract payments\r\nWe have seen a lot of ransom notes here at BleepingComputer and I can say that the language used in MegaCortex's is one\r\nof the most aggressive ones I have seen to date.\r\nMost ransomware will try to walk a victim through the payment process and display almost sympathetic undertones to their\r\nrequests.  Instead, the MegaCortex ransom note goes the complete opposite direction.\r\nThey point blank say they do not negotiate, do not care about your hardships, and have no sympathy that they encrypted\r\nyour files.\r\nAnd please do not start your first letter to us with the words:\r\n\"It's a mistake !! Our company is just trimming and grooming little dogs. We don't have money at all.\"\r\n\"There is a big mistake on our site !\r\nWe are not leaders in our industry and all our competitors don't suck our huge **ck.\r\nWe're just ? small company, and we are dying because of hard competition.\"\r\n\"We are not the Super Mega International Corporation ltd., we are just a nursery etc.\"\r\nWe see it 5 times a day. This sh*t doesn't work at all !!!\r\nDon't waste our and your time.\r\nRemember ! We don't work for food.\r\nYou have to pay for decryption in Bitcoins (BTC).\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 7 of 10\n\nIf you think you pay $500 and you'll get the decryptor, you are 50 million light years away from reality :)\r\nThe ransom begins from 2-3 BTC up to 600 BTC.\r\nIf you don't have money don't even write to us.\r\nWe don't do charity !\r\nWhether or not this tone will do the ransomware developer's any favors is hard to determine. What I do no know is that\r\nransomware victims feel violated, hurt. and angry and this ransom note won't make them feel any better.\r\nIOCs:\r\nHashes:\r\n77ee63e36a52b5810d3a31e619ec2b8f5794450b563e95e4b446d5d3db4453b2\r\nAssociated Files:\r\nwinnit.exe\r\nx5gj5_gmG8.log\r\npayload.dll\r\n!!!_READ-ME_!!!.txt\r\nRansom Note Text:\r\nIf you are reading this text, it means, we've hacked your corporate network.\r\nNow all your data is encrypted with very serious and powerful algorithms (AES256 and RSA-4,096).\r\nThese algorithms now in use in military intelligence, NSA and CIA .\r\nNo one can help you to restore your data without our special decipherer.\r\nDon't even waste your time.\r\nBut there are good news for you.\r\nWe don't want to do any damage to your business.\r\nWe are working for profit.\r\nThe core of this criminal business is to give back your valuable data in original form (for ransom of course).\r\nIn order to prove that we can restore all your data, we'll decrypt 3 of your files for free.\r\nPlease, attach 2-3 encrypted files to your first letter.\r\nEach file must be less than 5 Mb, non-archived and your files should not contain valuable information\r\n(databases, backups, large word files or excel sheets, etc.).\r\nYou will receive decrypted samples and our conditions how to get the decipherer.\r\nFor the fastest solution of the problem, please, write immediately in your first letter:\r\nthe name of your company,\r\nthe domain name of your corporate network and\r\nthe URL of your corporate website\r\nIt is important !\r\nAnd please do not start your first letter to us with the words:\r\n\"It's a mistake !! Our company is just trimming and grooming little dogs. We don't have money at all.\"\r\n\"There is a big mistake on our site !\r\nWe are not leaders in our industry and all our competitors don't suck our huge **ck.\r\nWe're just ? small company, and we are dying because of hard competition.\"\r\n\"We are not the Super Mega International Corporation ltd., we are just a nursery etc.\"\r\nWe see it 5 times a day. This sh*t doesn't work at all !!!\r\nDon't waste our and your time.\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 8 of 10\n\nRemember ! We don't work for food.\r\nYou have to pay for decryption in Bitcoins (BTC).\r\nIf you think you pay $500 and you'll get the decryptor, you are 50 million light years away from reality :)\r\nThe ransom begins from 2-3 BTC up to 600 BTC.\r\nIf you don't have money don't even write to us.\r\nWe don't do charity !\r\nOne more time :\r\n1.(In first letter) write the name of your company, the domain name of your corporate network and the URL of your corporat\r\n2. Attach 2-3 encrypted files (we'll show you some magic)\r\n3. Use Google in order to find out how to buy bitcoins fast\r\nAs soon as we get bitcoins you'll get all your decrypted data back.\r\nContact emails:\r\nMckinnisKamariyah91@mail.com\r\nor\r\nThomassenVallen1999@mail.com\r\nMan is the master of everything and decides everything.\r\nAssociated Email addresses:\r\nMckinnisKamariyah91@mail.com\r\nThomassenVallen1999@mail.com\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 9 of 10\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nhttps://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/"
	],
	"report_names": [
		"elusive-megacortex-ransomware-found-here-is-what-we-know"
	],
	"threat_actors": [],
	"ts_created_at": 1775434221,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c435d67a1a28716028252e5154167b6b7b65d7cd.pdf",
		"text": "https://archive.orkl.eu/c435d67a1a28716028252e5154167b6b7b65d7cd.txt",
		"img": "https://archive.orkl.eu/c435d67a1a28716028252e5154167b6b7b65d7cd.jpg"
	}
}