MegaCortex or .aes128ctr is a ransomware that runs on Microsoft Windows. Its targeting corporate networks and the workstations on them.

In a new report, Sophos has stated that they have seen attacks in the United States, Italy, Canada, France, the Netherlands, and Ireland by this ransomware.



They include the creation of email SPAM campaigns which are used to pose as legitimate and well-known companies and services that coerce the victims into thinking that they need to interact with a given script or file.


MegaCortex encrypts the user's files with AES encryption. It changes the file extension to .aes128ctr. Using this shell, the attackers remotely gain access to the domain controller and configure it to distribute a copy of PsExec, the main malware executable, and a batch file to all of the computers on the network. It then executes the batch file remotely via PsExec.

The batch files seen by Sophos will terminate 44 different processes, stop 199 Windows services, and disable 194 services. After stopping all services that prevent the malware from running or files from being encrypted, the batch file will execute the main malware file called winnit.exe.

It drops a ransom note called !!!_READ_ME_!!!.txt and it saids:

Your companies cyber defense systems has been weighed, measured and have been found wanting
This breach is a result of grave neglect of security protocols.
All of your computer have been corrupted with MegaCortex malware that has encrypted your files.

We ensure that the only way to retrieve your data swiftly and securely is with our software.
Restoration of your data requires a private key which only we possess.

Don't waste your time and money purchasing third party software, without the private key they are useless.

It is critical that you don't restart or restart your computer.
This may lead to irreversible damage to your data and you may not be able to turn your computer back on.

To confirm that our software works email to us 2 files from random computers and C:\fracxidg.tsv file('s)
and you will get them decrypted.
C:\fracxidg.tsv contain encrypted session keys we need in order to be able to decrypt your files.

The software price will include a guarantee that your company will never be           inconvenienced by us.
You will also receive a consultation on how to improve your companies cyber security.

We can only show you the door. You're the one who has to walk through it.
Community content is available under CC-BY-SA unless otherwise noted.