RansomCortex Active
Brazilian group primarily targeting Latin American healthcare.1
Total Victims
2024-06-01
First Seen
2026-03-06
Last Seen
0
Known TTPs
15.0d
Avg Delay
0
Negotiations
ONION URLS
gg6owuhu72muoelkt2msjrp2llwr2on5634sk5v2xefzmobvryywbhid.onion
TOOLS
Custom tools
FILE EXTENSIONS
.cortex
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| 2026-03-06 | Peak Inc | United States | Agriculture | Published |
No TTPs data
RansomCortex_rule_1
InQuest
rule RansomCortex_ransomware_1 {
meta:
description = "Detects RansomCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "05ecdaa1807e5f212b72510b600362916afcd6baff398283f7a05f9802d5b3dc"
strings:
$s0 = "PAYMENT" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { D7 32 82 B1 5E F5 15 78 D }
$s3 = "ENCRYPTED" nocase
$s4 = "Do not modify" nocase
$h5 = { DC F7 AF 1B 28 C3 41 41 D }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
RansomCortex_rule_2
RansomwareMonitor
rule RansomCortex_ransomware_2 {
meta:
description = "Detects RansomCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9978a522893525e064fbb18d2fcf3480c74309377f2fce84c0bdcf3e655c8b39"
strings:
$s0 = "RansomCortex" nocase
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s2 = "Do not rename" nocase
$h3 = { B1 0C FB A6 06 8C 97 E3 EF 2F 0A 70 A }
$s4 = "AES-256" nocase
$h5 = { 50 B4 6C 12 6C 64 CA 58 A2 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
RansomCortex_rule_3
CISA
rule RansomCortex_ransomware_3 {
meta:
description = "Detects RansomCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f4b41ee7566b2906f1d9624b4669940488b14e7f4f89ce30024d1a8b7fef57e1"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "!!!" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}No IoCs
No ransom notes