Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

MegaCortex

Also known asmegacortex

MegaCortex is a ransomware operation referenced in the provided content as one of the ransomware groups that used Qakbot/QBot for initial access. The content states that MegaCortex has deleted Volume Shadow Copies using vssadmin.exe to inhibit recovery. It is also directly linked to Ukrainian national Volodymyr Viktorovich Tymoshchuk, who was charged by the U.S. Justice Department as an administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. According to the content, between July 2019 and June 2020, Tymoshchuk and co-conspirators used LockerGoga and MegaCortex to compromise the networks of more than 250 victim companies in the United States and hundreds of other companies worldwide, causing millions of dollars in damages. Victims mentioned in the broader indictment summary included blue-chip American companies, healthcare institutions, and large foreign industrial firms. The content also notes that ransomware executables were customized per victim with unique decryption keys, and that decryption keys for LockerGoga and MegaCortex were released through the No More Ransomware Project in September 2022. Known association in the content: LockerGoga and Nefilim through shared administration by Tymoshchuk.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Health Care Equipment & Services
  • Software & Services
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
the hacker newsNews
Dec 23, 2025
INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty

MegaCortex is a ransomware operation managed by individuals such as Tymoshchuk, targeting organizations for financial gain.

Read more
bleeping computerNews
Dec 22, 2025
Ukrainian hacker admits affiliate role in Nefilim ransomware gang

MegaCortex is associated with ransomware attacks that breached hundreds of companies worldwide, resulting in millions of dollars in damages.

Read more
hackreadNews
Dec 22, 2025
Ukrainian National Pleads Guilty in Nefilim Ransomware Conspiracy

MegaCortex is a ransomware strain associated with actors linked to Nefilim, used in corporate extortion campaigns.

Read more
data breaches netNews
Sep 9, 2025
“LockerGoga,” “MegaCortex,” and “Nefilim” Ransomware Administrator Charged with Ransomware Attacks

MegaCortex is a ransomware group that targeted large organizations worldwide, encrypting data and demanding ransom for decryption. The group was involved in high-profile attacks and used customized ransomware payloads for each victim.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.