Image: Hennie Stander

Bitdefender releases decryptor for MegaCortex ransomware after Swiss police raids

Cybersecurity company Bitdefender has released a decryptor for the MegaCortex ransomware, which was used in attacks globally before police raids hindered its operations.

The decryptor was developed in coordination with Swiss police and European law enforcement agencies, which carried out raids in October 2021 against the alleged cybercriminals behind the Dharma, MegaCortex and LockerGoga ransomware strains. 

Europol said at the time that the group, using all three ransomware strains, was responsible for 1,800 infections across 71 countries. European law enforcement agencies accused them of launching the 2019 attack on Norwegian aluminum giant Norsk Hydro.

Since the raids, Bitdefender has worked with Europol, the NoMoreRansom Project, the Zürich Public Prosecutor's Office and the Zürich Cantonal Police to create decryptors for each ransomware, releasing one for LockerGoga in October 2022. They used the master decryption keys found during the raids to create the universal decryptors but still urged those affected by the ransomware to file criminal complaints if they have not done so already.

On Thursday, Bitdefender published the decryptor for MegaCortex, which was used in several attacks across Italy, the United States, Canada and the Netherlands – including one on online cloud hosting provider iNSYNQ in 2019 and another on accounting software giant Wolters Kluwer.

Analysts found that the group typically asked for ransoms between $20,000 to $5.8 million. Bogdan Botezatu, director of threat research at Bitdefender, told The Record that in the past year they have been contacted by several victims looking for ways to recover data after being attacked with the MegaCortex ransomware. Because the group is no longer active, the decryptor will only help victims who held on to their encrypted equipment, Recorded Future ransomware expert Allan Liska said. 

Botezatu noted that MegaCortex was operated by a complex team – some of whom were specialized in identifying and exploiting known vulnerabilities in exposed infrastructure, or by leveraging a pre-existing infection on the network (such as Emotet or Qakbot).

"In some circumstances, stolen credentials have been used to compromise the Domain Controller and then use other manual or automated components to deploy the MegaCortex payloads across the organization," he said. According to Botezatu, Bitdefender was given keys obtained by law enforcement to create the decryptor but was not involved in the investigation.

Liska said that since the raid, MegaCortex has largely disappeared from the scene. 

“MegaCortex first appeared in 2019 and were very active for about a year and half (until their arrest),” he said. “They were among the first ‘big game hunting’ groups to partner with Qakbot (QBot) for distribution and they were also one of earlier ransomware groups to sign their executable.”

In a press release last year, the Zürich Public Prosecutor’s Office said it planned to eventually release a decryptor for the ransomware after finding decryption keys from one specific hacker who is currently being held in Zürich and is facing a range of hacking and money laundering charges.

“I will say it is nice to see a ransomware group arrested, and actually stay down,” Liska said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.