Severity scale:  

Remove MegaCortex ransomware (Removal Guide) - updated May 2019

removal by Jake Doevan - - | Type: Ransomware

MegaCortex is a sophisticated crypto-locking malware that employs both automated and manual components for its infection

MegaCortex ransomware

MegaCortex is a ransomware-type virus that targets corporations for money extortion purposes and is another example of large scale attacks that incorporate the “big game hunting”[1] technique, which is only used in targeted attacks. The threat is not new, and has been infecting organizations since January 2019, but become especially active at the start of May of the same year, infecting corporations around the world. Recently, malware reappeared with .m3g4c0rtx extension.

Initially, Sophos researchers claimed[2] that MegaCortex ransomware operates together with Emotet and Qakbot viruses, as these threats were also present during the first samples that experts examined. Nevertheless, further research that was published a week later[3] uncovered that this strain also uses the same Common Name (CN) on the digital certificate as Rietspoof malware, although no other connections to the latter were found.

Once the main executable rstwg.exe, winnit.exe, or other is launched, MegaCortex ransomware performs file encryption with the help of encryption algorithm[4] and then appends .aes128ctr file extension, although different types of appendixes were noticed in the wild.

Soon after that, the malware drops !!! _ READ_ME _ !!!.txt ransom note, in which hackers offer a decryption tool for a price, as well as the alleged tips on how to improve the company's security levels and a guarantee that it will remain safe from further MegaCortex virus attacks.

Name MegaCortex
Type Ransomware/ crypto virus
Malware executable rstwg.exe, winnit.exe, or other
File marker .aes128ctr, .m3g4c0rtx
Contact emails,
main target Businesses, worldwide companies, home users
Already affected

 76 confirmed attacks from these countries:

  • Italy
  • USA
  • Canada
  • Netherlands
  • France
  • Ireland
  • Czech Republic
Ransom note !!! _ READ_ME _ !!!.txt
Distribution Infected documents, PSExec utility
Main damage Locks data, leads to money loss or damaged data, can also install a password-stealing virus
Elimination Use SpyHunter 5Combo Cleaner for MegaCortex removal. Get Reimage Reimage Cleaner Intego to repair virus damage

MegaCortex malware gets delivered using Windows domain controllers. According to recent reports, attackers gain remote access to the chosen network and configure the domain controller to distribute a copy of PsExec – the service running executable of the malware.[2] 

Additionally, MegaCortex ransomware gets on the system and disables security services or programs to keep on running without interruption. Encryption starts and quickly ends with files marked with .aes128ctr extension. This marker may change from sample to sample. As Sophos has reported, the virus has infected its clients from the United States, Canada, Australia, Hong Kong, Indonesia, the Netherlands, France, Ireland, Argentina, and Italy. Beware that home users may also be infected in the future!

MegaCortexMegaCortex is malware designed to extort money from corporates and make a profit for the developer.

MegaCortex samples were discovered on May 1, 2019. It is known that the virus compromises the domain controller and when the Cobolt Strike is dropped and launched, it launches the main executable designed to start the main process of the cryptovirus. Additionally to these processes, the specific batch of files get executed to disable 44 particular processes and more than 200 Windows services.

Changes initiated by MegaCortex ransomware can also include:

  • changed startup preferences;
  • added or altered registry entries;
  • installed or disabled programs;
  • added files and malware.

When MegaCortex ransomware ends the encryption process, encoded files get marked with either .aes128ctr or the recent .m3g4c0rtx extension. Also, the virus creates other data on the affected system, like DLL with the list of encrypted file names and drops the ransom note on the desktop and in various folders on the computer.

The MegaCortex ransomware ransom note !!! _ READ_ME _ !!!.txt reads the following:

Your companies cyber defense systems have been measured, measured and have been found wanting. 
The breach is a result of the security protocols. 
All of your computers have been corrupted with MegaCortex malware that has encrypted your files. 
We must ensure that your data is swiftly and securely. 
Restoration of your data requires a private key. 
They are useless. 
It is critical that you restart or shutdown your computer. 
It can lead to irreversible damage to your computer back.
To confirm that our software works email to us 2 from random computers files is and the C: \ fracxidg.tsvfile ( 's) 
and you will of the get Them decrypted. 
C: \ fracxidg.tsv 
It will never be inconvenienced by us. 
Cyber ​​security. 
If you want to contact us at 
We can only show you the door. Through one. 

The developers of MegaCortex seem to be struggling to look more credible, so they offer to test their decryption service (two files precisely) for free. Even if they recover those files without any pay, you shouldn't trust them and provide the demanded ransom. Get the professional anti-malware tools and get rid of the virus instead.

For the best MegaCortex ransomware removal results, you should rely on a reliable tool designed to fight malware. You can base your choosing on malware detection rate.[5] Make sure to avoid any unsafe installations and get the tool from reputable sources.

MegaCortex file locking malwareMegaCortex ransomware authors are going for large corporations by employing the big game hunting technique.

Various specialists from the cybersecurity field[6] have been offering using Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner for the proper job. Remove MegaCortex ransomware completely and make sure to clean the system from other possible programs or virus damage. Perform a full scan on the infected PC and follow with suggested steps.

The same solution is offered for companies since ransomware has mostly been targeting networks of corporations. The professional IT specialist should employ an antivirus tool to clean the entire network and then use backups to recover files encrypted by MegaCortex ransomware.

An operating system doesn't require permission when ransomware gets installed in the background

Emails often get ignored and this way cyber infections happen on the machine because file attachments or hyperlinks included, spreads malicious scripts. When the payload is dropped on the system, various malware can be launched and automatically installed.

Once this is done, trojans, malware or even ransomware itself starts running needed processes immediately. Since this particular virus gets delivered with the help of trojans and malware, it is not easy to spot cyber infections because the virus runs in the background. However, the appearance of rstwg.exe in your Task Manager should make you worried.

However, you can avoid such processes by paying more attention to the emails you receive in your email box. When any suspicious or questionable email appears in the box to make sure to delete it and exit the notification if any files get attached to that. One click on the included hyperlink or accidental installation of a document can lead to automatic ransomware infiltration, and then you risk getting your files damaged. 

Terminate MegaCortex ransomware and make sure to clean the machine fully

To remove MegaCortex ransomware from the affected computer or even the network, you need to disconnect your PCs from the Internet and run a full system scan with a professional anti-virus. If you go for a free tool, you risk getting PUPs or more dangerous cyber threats.

Make sure to learn about MegaCortex virus features and potential risks before attempting any processes. Also, rely on file backups and data recovery software when trying to restore encrypted files. This can only be achieved after profer system cleaning.

Automatic MegaCortex removal using anti-malware tools like Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, or Malwarebytes can give the advantage of detecting other malware besides the cryptovirus and eliminating corrupted files, PUPs from the machine.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove MegaCortex virus, follow these steps:

Remove MegaCortex using Safe Mode with Networking

Rely on system reboot in Safe Mode with Networking and then scan the system with AV tool to remove MegaCortex ransomware

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove MegaCortex

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete MegaCortex removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove MegaCortex using System Restore

You can benefit from System Restore feature that allows recovering the system in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of MegaCortex. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that MegaCortex removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove MegaCortex from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by MegaCortex, you can use several methods to restore them:

Data Recovery Pro is the program designed to replace file backups in the data restoring process

It is possible to restore files encrypted by MegaCortex ransomware without having backed up files. Try Data Recovery Pro for accidentally deleted files or data encrypted

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by MegaCortex ransomware;
  • Restore them.

Windows Previous Versions feature allows recovering files after MegaCortex ransomware intervension

When System Restore gets enabled, Windows Previous Versions can get used in file recovery

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the feature replacing file backups in the data recovery process

Shadow Volume Copies should be untouched by the ransomware, for ShadowExplorer to work

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption is not possible for MegaCortex ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from MegaCortex and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Your opinion regarding MegaCortex ransomware