New MegaCortex version changes passwords in Windows and threatens to publish stolen data

The new version of the MegaCortex ransomware not only encrypts files, but also changes passwords in Windows, and threatens to disclose the victim’s information if it does not pay the ransom.

Recall that this ransomware has been famous to specialists for a while. It is distributed using another malware, such as Emotet, and cryptographic operators try to get to the domain controller as soon as possible in order to spread the threat to the maximum number of systems.

The publication in Bleeping Computer reports that the specialists of MalwareHunterTeam and Vitali Kremez noticed the new version of MegaCortex. Now the ransomware changes the extensions of the affected files to .m3g4c0rtx, and uses a couple of new tricks.

Read also: Ransomware attacked two Spanish companies: the local Internet is in panic as during the WannaCry days

Therefore, now MegaCortex Launcher extracts two DLL files and three CMD scripts to the C:\Windows\Temp folder. At the same time, the launcher is signed by Sectigo certificate issued by the Australian company MURSA PTY LTD. CMD files are used to execute a number of commands, including deleting shadow copies and overwriting all free space on the C:\drive.

“In addition, MegaCortex will now configure a legal notice on the encrypted machine so that it displays a basic “Locked by MegaCortex” ransom message with email contacts before a user even logs in”, — write Bleeping Computer journalists.

Now MegaCortex also intimidates its victims, forcing them to pay.

The fact is that a new ransom note begins with the phrase “all your credentials have been changed and all files are encrypted.” As the experts found out, this is not an empty threat: the malware really changes the passwords of victims in Windows accounts.

In addition, now the attackers claim that they not only encrypted, but also copied all the data of the victim, and threatened to publish it in the public domain if they did not receive the ransom.

“We have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public. Once the transaction is finalized all of copies of data we have downloaded will be erased”, — says cybercriminals’ message.

Researchers note that so far there is no evidence that the attackers are really copying information of the victims. However, this threat should not be neglected. If the MegaCortex actors are actually copying data, though, victims will now have to treat these attacks as a data breach going forward instead of just a ransomware infection.