Home / Industry

How Reverse WHOIS Search Can Help Protect Against MegaCortex and Other Ransomware

Earlier this week, a new variant of MegaCortex ransomware was found encrypting files and changing victims’ passwords on Windows-based computers. Victims who fail to pay the ransom were as usual threatened that their personal data would be released.

How does the attack work? In short, MegaCortex is executed through other malware files and scripts. Once a system is successfully infected with the malware, MegaCortex is installed through an active directory controller or a post-exploitation kit.

According to Vitali Kremez of Bleeping Computer, MegaCortex variants use the .m3g4cortx extension name. Here is a summary of his technical analysis:

  • When MegaCortex is executed, it extracts two files and three scripts into the users’ Temp folder. The first file (the “launcher”) that is used to launch the ransomware itself (which is the second file of the attack) comes with a Sectigo certificate signed for an Australian company, MURSA PTY LTD. Note that this certificate was deemed unreliable by Sectigo (a major SSL certificate provider).
  • The scripts then carry out commands to eliminate all copies (even incomplete ones) of the files that the ransomware is set to encrypt and take hostage.
  • Once the ransomware installation is done, the affected user sees the ransom note on his/her desktop screen.

Cybercriminal undertakings like this one underline the importance of taking the right cybersecurity measures. Apart from blocking all files sporting the .m3g4cortx extension from computers, said measures involve monitoring all the domains, including subdomains, that are accessing an organization’s networks. Failure to identify unauthorized access and block malicious domains that may possibly bring malware on board can result in system or worse network infection.

As part of their threat identification activities, users can use tools like Domain Research Suite and its components for cybersecurity analysis. Or they can, for example, integrate other tools like Reverse WHOIS API into their existing security solutions to identify potential sources of threats for domain blocking.

Our Investigative Tools: Reverse WHOIS Search and Others

We know from the MegaCortex case that the attackers used emails containing the domain “mail.com”—i.e., MckinnisKamariyah91@mail[.]com and ThomassenVallen1999@mail[.]com.

A quick run of “mail.com” on Domain Research Suite allowed us to pull out the WHOIS record for the domain. As seen below, most of the information is redacted for privacy, indicating the registrant certainly used a WHOIS privacy service not to disclose his personal information:

Despite the little found from the WHOIS record, we then ran a reverse WHOIS search on the registrant’s name, which returned 9 domains. As this number is low, it might be worth looking into each of them to see if these may have ties to malicious activities possibly as victims or perpetrators (note that this can’t be concluded from this brief analysis alone):

Finally, we ran a query for “mail.com” domain on the Threat Intelligence Platform and saw a couple of violations that may require further action:

In fact, given that the domain “mail.com” appears to have ties to malicious activity, as indicated by listings on a botnet command-and-control (C&C) and a spam blacklist, it may be safe to block communications coming from and going to it.

* * *

Allowing threat actors to gain access to your network is synonymous with giving them control over your systems. URL filtering is an effective means to prevent unauthorized system and network access. To avoid threats like MegaCortex, organizations can enable URL filtering on their network with the aid of reverse WHOIS search and other domain research and monitoring tools.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byDNIB.com


Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC