Monday, November 23, 20:04
Home security Megacortex Ransomware: Changes password and threatens to publish data

Megacortex Ransomware: Changes password and threatens to publish data

A new version of MegaCortex Ransomware has been found not only to encrypt your files, but also changes the user's password and threatens to publish the victim's files if he does not pay for the ransom.

For those who don't know much about MegaCortex, it is a ransomware installed via access to network provided by trojans such as Emotet. Once MegaCortex hackers gain access, they then "push" ransomware into machines on the network via an active directory controller or post-exploit kit.

Significant changes to the new version of MegaCortex

In a new sample of ransomware discovered by MalwareHunterTeam, we see a new version of MegaCortex that has substantially changed from previous variants.

The most obvious change that victims are facing is the new .m3g4c0rtx extension used by ransomware as shown above.

MegaCortex Ransomware

In addition, MegaCortex will now set up a legal alert for the encrypted machine to display a basic "Locked by MegaCortex" message before another user logs in.

When the main MegaCortex launcher runs, two DLL files and three CMD scripts will be exported to C: \ Windows \ Temp. The launcher is currently signed with a Sectigo certificate for Australian company called "MURSA PTY LTD".

These CMD files will execute a variety of commands that remove Shadow Volume Copies, using the Cipher command to wipe all the free space on the C: \ drive, set the Legal Notice Legal Note, and then clear all the files used for the computer encryption.

Kremez told BleepingComputer in talks that the two DLLs are used to encrypt the files in the computer. One DLL file is an iterator file that looks for the file for encryption and the other DLL will be used to encrypt the file.

These DLL files are not injected at all procedure, but run through Rundll32.exe.

When it's over, the victims will find a note for ransom desktop!! -! _ README _! -!. rtf containing some interesting comments that were initially dismissed as inactive threats.

After further analysis, we have found that at least one of the threats is true. Ransomware actually changes the victim's password on their behalf Windows.

MegaCortex changes the password of Windows victims

It's not uncommon for ransomware developers to threaten to scare victims into paying. Because of this, when we saw that the ransom note said that the victim's credentials had changed, we rejected it. After testing the ransomware and restarting it encrypted computer, I found that I couldn't sign in to my account.

Further analysis of the code by Kremez confirmed that MegaCortex does indeed change the password for the victim account on Windows. It does this by executing the net user command when the ransomware is running.


This also explains why the intruders added a legal notice that appears in the login prompt, as the user will no longer be able to login to access the login prompt. desktop of.

Threatens to publish victim data

Except for the proven changes user credentials, the attackers have also changed the ransom note to indicate that the victim's data has been copied to a secure location.

They then threaten to make these public date if the victim does not pay the ransom.

It is not confirmed if the attackers have actually copied the victims' files, but this threat must not be dismissed and the victim may want to confirm that the attackers did in fact archives as they say when communicating with them.

If MegaCortex hackers are actually copying data, victims should treat these attacks as a data breach rather than a ransomware infection.

This will eventually add a whole new level of complexity and risk to these types attacks.



Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Details of Spotify users were exposed by hackers

A hacking team has gained unauthorized access to 350.000 Spotify accounts on the music streaming service. To achieve this ...

Black Friday: Tips for Secure Online Shopping

Black Friday and Cyber ​​Monday are two of the busiest days for online shopping. And of course ...

Photoshop: How to restore the old mode of Free Transform

Adobe recently changed the way Free Transform works. But you can restore the old way of working ...

EU: Ready to end end-to-end encryption?

End-to-end encryption is a security tool used by various applications, including Facebook Messenger, WhatsApp and Signal, for further ...

How to disable the "welcome tips" after the Windows 10 update

Windows 10 after an update sometimes opens a window with tips to show you what's new for ...

The Windows 10 KB4586819 update fixes several issues

Microsoft has released the cumulative non-security update KB4586819 preview for Windows 10 versions 1809, 1903 and 1909, with various fixes ...

Drupal websites are vulnerable to double-extension attacks!

The team behind Drupal Content Management System (CMS) released some security updates this week to fix a critical ...

Face recognition can identify bears and cows

Face recognition can be used to identify various animals such as bears and cows!

Google Workspace: How it unlocked the subscription software market

In fact, Google has made it easier for smaller players. A startup that starts in 2020 ...

Black Friday with online offers in COSMOTE and GERMANO

Press Release: Black Friday with online offers at COSMOTE and GERMANO November 23, 2020