Severity scale:  

Remove MegaCortex ransomware (Virus Removal Guide) - May 2019 update

removal by Jake Doevan - - | Type: Ransomware

MegaCortex is a sophisticated cryptolocking malware that employs both automated and manual components for its infection

MegaCortex ransomware

MegaCortex is ransomware type virus that targets corporations for money extortion purposes and is another example of large scale attacks that incorporate the “big game hunting”[1] technique, which is only used in targeted attacks. The threat is not new, and has been infecting organizations since January 2019, but become especially active at the start of May of the same year, infecting corporations around the world.

Initially, Sophos researchers claimed[2] that MegaCortex ransomware operates together with Emotet and Qakbot viruses, as these threats were also present during the first samples that experts examined. Nevertheless, further research that was published a week later[3] uncovered that this strain also uses the same Common Name (CN) on the digital certificate as Rietspoof malware, although no other connections to the latter were found.

Once the main executable rstwg.exe, winnit.exe, or other is launched, MegaCortex ransomware performs file encryption with the help of encryption algorithm[4] and then appends .aes128ctr file extension, although different types of appendixes were noticed in the wild.

Soon after that, the malware drops !!! _ READ_ME _ !!!.txt ransom note, in which hackers offer a decryption tool for a price, as well as the alleged tips on how to improve the company's security levels and a guarantee that it will remain safe from further MegaCortex virus attacks.

Name MegaCortex
Type Ransomware
Malware executable rstwg.exe, winnit.exe, or other
File marker .aes128ctr
Contact emails,
main target Businesses, worldwide companies
Already affected

 76 confirmed attacks from these countries:

  • Italy
  • USA
  • Canada
  • Netherlands
  • France
  • Ireland
  • Czech Republic
Ransom note !!! _ READ_ME _ !!!.txt
Distribution Infected documents, PSExec utility
Main damage Locks data, spreads together with password-stealing viruses, leads to money loss or damaged data
Elimination Get Reimage or SpyHunter 5Combo Cleaner for fixing your system after MegaCortex removal

MegaCortex malware gets delivered using Windows domain controllers. According to recent reports, attackers gain remote access to the chosen network and configure the domain controller to distribute a copy of PsExec – the service running executable of the malware.[2] 

Additionally, MegaCortex ransomware gets on the system and disables security services or programs to keep on running without interruption. Encryption starts and quickly ends with files marked with .aes128ctr extension. This marker may change from sample to sample. As Sophos has reported, the virus has infected its clients from the United States, Canada, Australia, Hong Kong, Indonesia, the Netherlands, France, Ireland, Argentina, and Italy. Beware that home users may also be infected in the future!

MegaCortex is malware designed to extort money from corporates and make a profit for the developer.

MegaCortex samples were discovered on May 1, 2019. It is known that the virus compromises domain controller and, when the Cobolt Strike is dropped and launched, launches main executable designed to start the main process of the cryptovirus. Additionally to these processes, the specific batch of files get executed to disable 44 particular processes and more than 200 Windows services.

Changes initiated by MegaCortex ransomware can also include:

  • changed startup preferences;
  • added or altered registry entries;
  • installed or disabled programs;
  • added files and malware.

When MegaCortex ransomware ends the encryption process, encoded files get marked with .aes128ctr extension. Also, the virus creates other data on the affected system, like DLL with the list of encrypted file names. Finally, the ransom note gets added on the desktop and in various folders on the computer.

The MegaCortex ransomware ransom note !!! _ READ_ME _ !!!.txt reads the following:

Your companies cyber defense systems have been measured, measured and have been found wanting. 
The breach is a result of the security protocols. 
All of your computers have been corrupted with MegaCortex malware that has encrypted your files. 
We must ensure that your data is swiftly and securely. 
Restoration of your data requires a private key. 
They are useless. 
It is critical that you restart or shutdown your computer. 
It can lead to irreversible damage to your computer back.
To confirm that our software works email to us 2 from random computers files is and the C: \ fracxidg.tsvfile ( 's) 
and you will of the get Them decrypted. 
C: \ fracxidg.tsv 
It will never be inconvenienced by us. 
Cyber ​​security. 
If you want to contact us at 
We can only show you the door. Through one. 

The developers of MegaCortex seem to be struggling to look more credible, so they offer to test their decryption service (two files precisely) for free. Even if they recover those files without any pay, you shouldn't trust them and provide the demanded ransom. Get the professional anti-malware tools and get rid of the virus instead.

For the best MegaCortex ransomware removal results, you should rely on a reliable tool designed to fight malware. You can base your choosing on malware detection rate.[5] Make sure to avoid any unsafe installations and get the tool from reputable sources.

MegaCortex file locking malware
MegaCortex ransomware authors are going for large corporations by employing the big game hunting technique.

Various specialists from the cybersecurity field[6] have been offering using Reimage or SpyHunter 5Combo Cleaner for the proper job. Remove MegaCortex ransomware completely and make sure to clean the system from other possible programs or virus damage. Perform a full scan on the infected PC and follow with suggested steps.

The same solution is offered for companies since ransomware has mostly been targeting networks of corporations. The professional IT specialist should employ an antivirus tool to clean the entire network and then use backups to recover files encrypted by MegaCortex ransomware.

An operating system doesn't require permission when ransomware gets installed in the background

Emails often get ignored and this way cyber infections happen on the machine because file attachments or hyperlinks included, spreads malicious scripts. When the payload is dropped on the system, various malware can be launched and automatically installed.

Once this is done, trojans, malware or even ransomware itself starts running needed processes immediately. Since this particular virus gets delivered with the help of trojans and malware, it is not easy to spot cyber infections because the virus runs in the background. However, the appearance of rstwg.exe in your Task Manager should make you worried.

However, you can avoid such processes by paying more attention to the emails you receive in your email box. When any suspicious or questionable email appears in the box to make sure to delete it and exit the notification if any files get attached to that. One click on the included hyperlink or accidental installation of a document can lead to automatic ransomware infiltration, and then you risk getting your files damaged. 

Terminate MegaCortex ransomware and make sure to clean the machine fully

To remove MegaCortex ransomware from the affected computer or even the network, you need to disconnect your PCs from the Internet and run a full system scan with a professional anti-virus. If you go for a free tool, you risk getting PUPs or more dangerous cyber threats.

Make sure to learn about MegaCortex virus features and potential risks before attempting any processes. Also, rely on file backups and data recovery software when trying to restore encrypted files. This can only be achieved after profer system cleaning.

Automatic MegaCortex removal using anti-malware tools like Reimage, SpyHunter 5Combo Cleaner, or Malwarebytes can give the advantage of detecting other malware besides the cryptovirus and eliminating corrupted files, PUPs from the machine.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove MegaCortex virus, follow these steps:

Remove MegaCortex using Safe Mode with Networking

Rely on system reboot in Safe Mode with Networking and then scan the system with AV tool to remove MegaCortex ransomware

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove MegaCortex

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete MegaCortex removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove MegaCortex using System Restore

You can benefit from System Restore feature that allows recovering the system in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of MegaCortex. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that MegaCortex removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove MegaCortex from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by MegaCortex, you can use several methods to restore them:

Data Recovery Pro is the program designed to replace file backups in the data restoring process

It is possible to restore files encrypted by MegaCortex ransomware without having backed up files. Try Data Recovery Pro for accidentally deleted files or data encrypted

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by MegaCortex ransomware;
  • Restore them.

Windows Previous Versions feature allows recovering files after MegaCortex ransomware intervension

When System Restore gets enabled, Windows Previous Versions can get used in file recovery

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the feature replacing file backups in the data recovery process

Shadow Volume Copies should be untouched by the ransomware, for ShadowExplorer to work

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption is not possible for MegaCortex ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from MegaCortex and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Your opinion regarding MegaCortex ransomware