MegaCortex
MegaCortex is a ransomware family. The provided content describes it as being used to kill endpoint security processes, enable SeDebugPrivilege and adjust token privileges, and terminate processes via Win32 APIs including TerminateProcess() and CreateRemoteThread after privilege escalation. It loads injecthelper.dll into a newly created rundll32.exe process and uses rundll32.exe to load a DLL for file encryption. For encryption, the malware has used the open-source Mbed Crypto library and generated AES keys. It also deletes Volume Shadow Copies using vssadmin.exe and can wipe deleted data from all drives using cipher.exe, indicating efforts to inhibit recovery and destroy residual data. The malware has added Registry entries containing ransom contact information. The content also links MegaCortex to process kill lists observed alongside multiple ransomware families in research on financially motivated actors and OT-related tradecraft. Separately, U.S. Department of Justice charging documents cited in the content identify Ukrainian national Volodymyr Viktorovich Tymoshchuk as an administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations, and state that from 2019 to 2021 he and accomplices breached more than 250 companies worldwide, stealing millions and disrupting critical services. The content further notes that MegaCortex was advertised as a ransomware-as-a-service strain, and that some security vendors have suggested an association between LockBit and the now-defunct Gogalocker and MegaCortex, though no stronger attribution detail is provided here.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
Persistence
1 technique
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
"APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection"; "IcedID has called ZwWriteVirtualMemory... ZwQueueApcThread... to inject itself into a remote process"; "Havoc can use NtAllocateVirtualMemory and NtCreateThreadEx to aid process injection"
Stealth
6 techniques
Stealth
"APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection"; "IcedID has called ZwWriteVirtualMemory... ZwQueueApcThread... to inject itself into a remote process"; "Havoc can use NtAllocateVirtualMemory and NtCreateThreadEx to aid process injection"
Defense Impairment
1 technique
Defense Impairment
Discovery
3 techniques
Discovery
FireEye Mandiant originally explored the link between financially motivated actors and OT in July 2020, when researchers found process kill lists deployed alongside seven different ransomware families... The second kill list was deployed alongside Clop ransomware.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Impact
6 techniques
Impact
Numerous ransomware/wiper examples enumerate files before encryption, such as "BlackCat can enumerate files for encryption", "NotPetya searches for files ending with dozens of different file extensions prior to encryption", and "WastedLocker can enumerate files and directories just prior to encryption."
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
Other
2 techniques
Other
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
Recent activity
35 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MegaCortex is a ransomware family that has been used in targeted attacks against enterprises, encrypting files and demanding ransom for decryption.
Ransomware that targets enterprises, encrypts data, and demands ransom, often used in conjunction with other ransomware families in coordinated attacks.
Ransomware strain used in attacks against hundreds of organizations across the U.S. and Europe, causing significant financial damage.
MegaCortex is a ransomware family known for targeting enterprise networks, encrypting files, and demanding ransom payments, often as part of coordinated attacks on large organizations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.