MegaCortex surfaced in 2019 as a purpose-built ransomware targeting corporate networks that used domain controllers to spread. According to The Malware Wiki, MegaCortex encrypted user files with AES encryption. A read-me file accompanying infections indicated that the only way to restore access to locked data is with a private key that victims would need to purchase from the hackers. Fast-forward to October 2021 when authorities arrested a dozen individuals linked to more than 1,800 ransomware attacks across 71 countries. According to TechCrunch, police spent months combing through data collected during the arrests. They ultimately found individual decryption keys that were used to create and release a tool last September to unlock files impacted by the LockerGoga ransomware.
Additional keys discovered by law enforcement led to the development of this new tool for the MegaCortex ransomware. Interested parties can grab the MegaCortex unlocker over on Bitdefender’s website. They have also published a step by step tutorial on how to use it in both single-computer and network modes. Notably, if your files are encrypted with versions 2-4 of the ransomware, you will need to make sure the system contains a copy of the ransom note. If you were hit with V1, you will need the note and the TSV log file created by the ransomware to use the unlocking tool. Optionally, the tool is also available from No More Ransom. The site plays host to unlocking tools for more than 170 pieces of ransomware and variants including well-known examples like REvil and Ragnarok. Most security experts advise victims not to pay a ransom. Sending money only confirms that the ransomware works and there is no guarantee that you will get the decryption key in return for payment or that you won’t be hit again by a tweaked variant requiring a different key (and more money). Australia is even considering a ban on ransom payments to hackers. Image credit: Soumil Kumar, George Becker