Security Industry Hits Back with MegaCortex Decryptor

Written by

Security industry stakeholders have joined forces again to offer ransomware victims a way to mitigate the worst impacts of a compromise, with a new decryptor for MegaCortex.

The new decryption tool will allow victims of the variant to recover their files for free.

It was announced by Bitdefender, although the security vendor acknowledged that the tool was built in cooperation with Europol, the No More Ransom Project, the Zürich Public Prosecutor's Office and the Zürich Cantonal Police.

Interestingly, the anti-malware vendor’s announcement cited news from October 2021, when 12 individuals were arrested in connection with the Dharma, MegaCortex and LockerGoga ransomware families.

It’s likely that the arrest of what Europol described as “high-value targets” ultimately led to the development of the MegaCortex decryptor.

A statement from the Zürich Public Prosecutor's Office back in September 2022 revealed as much, claiming that investigators had been able to recover multiple private keys used by the threat actors.

“These keys enable damaged companies and institutions to restore data previously encrypted with the LockerGoga or MegaCortex malware,” it explained.

“In cooperation with Europol, the No More Ransom Project and the company Bitdefender, a tool is provided that supports the victims in decrypting LockerGoga. This is available at MegaCortex decryption tool will be released soon.”

The LockerGaga decryptor was released in September last year when that announcement was made.

Together, the three variants are estimated to have compromised 1800 victims in 71 countries.

MegaCortex was first spotted back in May 2019. Victims were displayed a ransom note containing various references to cult ‘90s film The Matrix, and the variant’s name echoes that of the company (MetaCortex) where the movie’s hero, Neo, works.

Some targeted corporate victims were asked to pay multimillion-dollar ransoms for a decryption key, with the group also one of the first to use double extortion tactics by exfiltrating data and threatening to leak it.

What’s hot on Infosecurity Magazine?