MegaCortex, a Matrix-Inspired Ransomware Is on the Prowl

matrix type ransomware megacortexA new sophisticated Ransomware threat called MegaCortex was detected by the researchers at Sophos to target enterprise networks across the world. Once inside, the ransomware spreads to all available machines through Windows domain controllers. Attacks by MegaCortex were observed in multiple countries - the US, Canada, Argentina, France, Italy, the Netherlands, Australia, Hong Kong, and Ireland.

Cybercriminals themselves chose the name of this new ransomware threat and it appears to be an homage, albeit misspelled, to MetaCortex, the corporation for which the protagonist of the Matrix trilogy is seen working during the first movie. The tone of the ransom note dropped by MegaCortex also seems to be written in the same vein as the dialogue in the Matrix movies.

Other Malware Found Present on MegaCortex-Infected Systems

While investigating the attacks by MegaCortex, Sophos observed an interesting fact - in addition to the ransomware two other malware threats, Emotet and Qbot(also known as Qakbot) were also present on the compromised networks. At the moment it is not known if they were the vehicle through which MegaCortex infiltrated the networks or if they were dropped as a secondary payload by the ransomware.

What was confirmed, however, is that in a number of cases a compromised domain controller was used to initiate the attacks. An obfuscated PowerShell script is used to create a Meterpreter reverse shell into the victim's network. Now, the attackers have the power to push their malware consisting of 3 files - a copy of PsExec named "rstwg.exe," a batch file, and the main malware executable file named "winnit.exe" to all machines connected to the network. The batch file is then executed remotely through PsExec, resulting in the initiation of a series of commands that attempt to terminate 44 processes and stop 189 Windows services. Another 194 services will have their Start type changed to Disabled, preventing them from starting up again.

The last action of the batch file is to start "winnit.exe," the main executable of the ransomware. In turn, it drops and executes a randomly named .DLL file that is responsible for the actual encryption of the victim's data. During the encryption process, a .tsv file with the same random name as the .DLL file will be dropped on the compromised machine. The name of every encrypted file followed by a base64 encoded string, and two 40 hexadecimal characters will be added to the .tsv file.

MegaCortex Creators Offer Consultations

The ransom note for MegaCortex is dropped in a text file named "!!!_READ_ME_!!!.txt." As we mentioned, the note is written in a rather dramatic style. The instructions state that the only way to restore the encrypted files is to buy the decryption software of the cybercriminals. In order to do so, victims of the ransomware should send 1 encrypted file and the .tsv file created by MegaCortex to one of the two provided email addresses. In addition, the note states that included in the price of the software is a "guarantee" that any company that makes the payment will never be "inconvenienced" again in the future. The criminals will also throw in a consultation on how to improve your cybersecurity. We don’t believe that its necessary to mention that such offers shouldn't be taken even remotely seriously.

The full text of the ransom note is:

Your companies cyber defense systems have been weighed, measured and have been found wanting.
The breach is a result of grave neglect of security protocols.
All of your computers have been corrupted with MegaCortex malware that has encrypted your files.

We ensure that the only way to retrieve your data swiftly and securely is with our software.
Restoration of your data requires a private key which only we possess.
Don't waste your time and money purchasing third party software, without the private key they are useless.

It is critical that you don't restart or shutdown your computer.
This may lead to irreversible damage to your data and you may not be able to turn your computer back on.

To confirm that our software works email to us 2 files from random computers and C:\fracxidg.tsv file('s)
and you will get them decrypted.
C:\fracxidg.tsv contain encrypted session keys we need in order to be able to decrypt your files.

The softwares price will include a guarantee that your company will never be inconvenienced by us.
You will also receive a consultation on how to improve your companies cyber security .
If you want to purchase our software to restore your data contact us at:

We can only show you the door. You're the one who has to walk through it.