Bitdefender released a free decryptor for the MegaCortex ransomware

Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware allowing its victims to restore their data for free.

Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware, which can allow victims of the group to restore their data for free.

The MegaCortex ransomware first appeared on the threat landscape in May 2019 when it was spotted by security experts at Sophos.

The experts noticed that in MegaCortex attacks other malware like Emotet and Qbot (aka Qakbot) were present in the same network.

Since November 2019, MegaCortex operators started adopting double extortion tactics. The group typically asked ransoms between $20,000 to $5.8 million to receive a decryptor.

In December 2019, the FBI issued a warning to the private industry of cyber attacks involving the LockerGoga and MegaCortex Ransomware.

Bitdefender researchers have developed the decryptor with the support of Europol, the Zürich Public Prosecutor’s Office and Cantonal Police, and researchers from the NoMoreRansom Project.

The tool is an executable that can be downloaded from Bitdefender servers.

The decryptor also supports the “Scan Entire System” mode which allows users to search for all encrypted files.

The user guide released by the security firm strongly recommends users of maintaining the “Backup files” option enabled.

By checking the backup option, users will see both the encrypted and decrypted files. They can
also find a log describing decryption process in %temp%\BitdefenderLog.txt folder.

“In case of encryption with versions 2-4, please make sure the system contains the
ransom note (e.g. “!!READ_ME!!!.TXT”, “!-!README!-!.RTF”, etc). For encryption with
MegaCortex V1 (the encrypted files have the “.aes128ctr” extension appended), please ensure the
ransom note and TSV log file (e.g. “fracxidg.tsv”) created by the ransomware are present on the
system.” reads an important note included in the manual provided with tool.

In September, the Zürich Public Prosecutor’s Office announced it was planning to release a decryptor after the seizure of decryption private keys from a threat actor who was arrested by Swiss authorities and that is facing hacking and money laundering charges.

“This analysis revealed numerous private keys from ransomware attacks. These keys enable damaged companies and institutions to restore data previously encrypted with the “LockerGoga” or “MegaCortex” malware. In cooperation with Europol, the “No More Ransom” project and the company Bitdefender, a tool is provided that supports the victims in decrypting LockerGoga. This is available at www.nomoreransom.org.” reads a press release published by the Zürich Public Prosecutor’s Office. “MegaCortex decryption tool will be released soon. Victims who are affected by attacks with the malicious programs mentioned are urgently requested to file a criminal complaint in their respective home country if they have not already done so.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]