A new version of MegaCortex Ransomware has been found not only to encrypt your files, but also changes the user's password and threatens to publish the victim's files if he does not pay for the ransom.
For those who don't know much about MegaCortex, it is a ransomware installed via access to network provided by trojans such as Emotet. Once MegaCortex hackers gain access, they then "push" ransomware into machines on the network via an active directory controller or post-exploit kit.
Significant changes to the new version of MegaCortex
In a new sample of ransomware discovered by MalwareHunterTeam, we see a new version of MegaCortex that has substantially changed from previous variants.
The most obvious change that victims are facing is the new .m3g4c0rtx extension used by ransomware as shown above.
In addition, MegaCortex will now set up a legal alert for the encrypted machine to display a basic "Locked by MegaCortex" message before another user logs in.
When the main MegaCortex launcher runs, two DLL files and three CMD scripts will be exported to C: \ Windows \ Temp. The launcher is currently signed with a Sectigo certificate for Australian company called "MURSA PTY LTD".
These CMD files will execute a variety of commands that remove Shadow Volume Copies, using the Cipher command to wipe all the free space on the C: \ drive, set the Legal Notice Legal Note, and then clear all the files used for the computer encryption.
Kremez told BleepingComputer in talks that the two DLLs are used to encrypt the files in the computer. One DLL file is an iterator file that looks for the file for encryption and the other DLL will be used to encrypt the file.
These DLL files are not injected at all procedure, but run through Rundll32.exe.
When it's over, the victims will find a note for ransom desktop!! -! _ README _! -!. rtf containing some interesting comments that were initially dismissed as inactive threats.
After further analysis, we have found that at least one of the threats is true. Ransomware actually changes the victim's password on their behalf Windows.
MegaCortex changes the password of Windows victims
It's not uncommon for ransomware developers to threaten to scare victims into paying. Because of this, when we saw that the ransom note said that the victim's credentials had changed, we rejected it. After testing the ransomware and restarting it encrypted computer, I found that I couldn't sign in to my account.
Further analysis of the code by Kremez confirmed that MegaCortex does indeed change the password for the victim account on Windows. It does this by executing the net user command when the ransomware is running.
This also explains why the intruders added a legal notice that appears in the login prompt, as the user will no longer be able to login to access the login prompt. desktop of.
Threatens to publish victim data
Except for the proven changes user credentials, the attackers have also changed the ransom note to indicate that the victim's data has been copied to a secure location.
They then threaten to make these public date if the victim does not pay the ransom.
It is not confirmed if the attackers have actually copied the victims' files, but this threat must not be dismissed and the victim may want to confirm that the attackers did in fact archives as they say when communicating with them.
If MegaCortex hackers are actually copying data, victims should treat these attacks as a data breach rather than a ransomware infection.
This will eventually add a whole new level of complexity and risk to these types attacks.