MegaCortex Ransomware

Sophos released intelligence on a new ransomware campaign dubbed “MegaCortex”. The campaign started on May 1st, 2019 worldwide including in Italy, the United States, Canada, the Netherlands, Ireland, and France. Initial infection is speculated to start from the Emotet exploit kit. MegaCortex uses both a manual and automated process starting with Meterpreter reverse shell scripts. From there, PowerShell scripts, batch files and remotely executed commands are utilized to execute the final stage malware on specific machines.

Once activated, the malware encrypts files on the machine with an undetermined encryption algorithm. In one case, the extension “.aes128ctr” was appended to the existing files however it’s unknown at this time if that is static to all campaigns. The attackers then demand an unspecified ransom with a note left in the root directory.

The ransom notification appears on the root of the victim’s hard drive as a plain text file.

Further details at –

IP address/domains

Meterpreter’s reverse shell C2 address

File hashes

Batch script:




Secondary DLL memory injector:


Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: