New MegaCortex Ransomware Targets Corporate Networks

cyber security professional

Security researchers have discovered a new ransomware called MegaCortex targeting corporate networks.

Once infected the ransomware spread through the entire network using Windows domain controllers.

Security researchers discovered the new ransomware at Sophos labs and when they detected a spike in no of attack against their customers around the world.

MegaCortex ransomware leverages both automated and manual components and is capable of infecting a higher number of victims.

Researchers also found the presence of Emotet or Qakbot Trojans on the networks that have been infected by MegaCortex ransomware.

“Both of these malware families have the ability to serve as a delivery vehicle for other malware payloads, with Emotet closely associated with the Trickbot credential stealing malware, which also can download and install additional malware payloads to infected computers. We’ve seen no direct evidence that either Emotet or Qbot are the source.”

According to victims reports the attacks were initiated from a compromised domain controller.

The attackers used stolen admin cards to gain access and executed high obfuscated PowerShell script containing a series of commands that “decodes a blob of base64-encoded data”.

The blob appears to be Cobalt Strike script which creates a reverse shell back to victims’ network.

Attackers used this shell to gain remote access to the domain controller and to distribute a copy of PsExec renamed rstwg.exe, which is the main malware executable and a batch file to all the remaining computers on the network.

In the next step, the batch file is executed remotely via PsExec.

The batch file kills 44 processes, stops 189 different services and disables194 different services.

In the final step, the batch file will execute the main malware file called winnit.exe

“The batch file executes winnit with a command flag that is a chunk of base64-encoded data.

This command drops and executes a DLL payload which is used to encrypt the files on the computer.

After encrypting the ransomware are appends the files with an extension and in this case, it is .aes128ctr.

The ransomware also creates a file using the same name as the random DLL, appends a  .tsv file extension and drops it to the hard drive.

The ransomware also drops ransom note named !!!_READ_ME_!!!.txt which contains details on what happened to your files and ransom payment.


Victims are asked to contact the email addresses given in the ransom note to get more details about the ransom payment and decrypt their files.

To get more details about the ransomware you can visit the report published by Sophos labs here.


Always follow these basic instructions to protect yourself any Ransomware Infection:

  • Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
  • Maintain updated Antivirus software for all systems
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
  • Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.
  • Use strong passwords and never reuse the same password for multiple accounts

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:New Emotet Trojan Variant Uses Compromised Devices as Proxy C&C Servers



Please rate this content