Freedom for MegaCortex ransomware victims – the fix is out
Criminals hit 1,800 victims across 71 countries to the tune of $100m+
An international law enforcement effort has released a decryptor for victims of MegaCortex ransomware, widely used by cybercriminals to infect large corporations across 71 countries to the tune of more than $100 million in damages.
The decryptor, built by Europol, cybersecurity firm Bitdefender, the NoMoreRansom Project, the Zürich Public Prosecutor's Office and the Zürich Cantonal Police, allows victims to recover files for free.
Bitdefender also published a tutorial on how to use the tool in both single-computer and network modes. The security shop noted:
Victims with data encrypted by versions 2 through 4 need the ransom note (e.g. "!!READ_ME!!!.TXT", "!-!README!-!.RTF", etc) present. MegaCortex V1 decryption (the encrypted files have the ".aes128ctr" extension appended) requires the presence of the ransom note and TSV log file (e.g. "fracxidg.tsv") created by the ransomware.
The MegaCortex decryptor follows the release of a similar tool, this one to help recover files encrypted by LockerGoga ransomware, developed by the same coalition of law enforcement and infosec groups.
Cybercriminals using both types of malware infected more than 1,800 victims, costing them over $100 million, according to Europol. "These cyber actors are known for specifically targeting large corporations, effectively bringing their business to a standstill," the European cops said.
In October 2021, law enforcement agencies in Ukraine and Switzerland arrested 12 individuals believed to be part of a crime ring responsible for these cyberattacks. At the time, the Europol-led effort also seized more than $52,000 in cash, five "luxury" vehicles and several electronic devices.
The suspects all played different roles in the organized crime operation, according to the cops. Some specialized in gaining initial access, while others were responsible for lateral movement, deploying malware such as Trickbot, or post-exploitation frameworks like Cobalt Strike or PowerShell Empire, to stay undetected and gain further network access.
Additionally, "a number" of those arrested were in charge of laundering the cryptocurrency ransom payments via mixing services before cashing out.
- Rackspace blames ransomware woes on zero-day attack
- The Guardian ransomware attack hits week two as staff told to work from home
- LockBit: Sorry about the SickKids ransomware, not sorry about the rest
- Twitter data dump: 200m+ account database now free to download
According to Europol, the miscreants often spent months on the compromised networks without being detected, allowing the crooks to scope out vulnerabilities before dropping ransomware to monetize the attack.
Despite these and other similar arrests last year and in 2021, ransomware gangs don't show any signs of slowing in 2023. Just days into the New Year, cybercriminals have hit a public housing authority and nonprofit health organization in the US and dozens of UK schools, just to name a few. Meanwhile, organizations including LastPass, Rackspace, and The Guardian continue to recover from extortion attacks in late 2022. ®