MegaCortex Ransomware Changes Windows Passwords, Blackmails Users

(Image credit: Shutterstock)

A new version of the MegaCortex ransomware is changing users' Windows login passwords and then threatening to making their files public if they don’t pay the ransom, as reported by BleepingComputer this week. 

MegaCortex was initially an enterprise-focused ransomware that used the Emotet trojan to install itself on network computers. 

As of recently, it started automating its attacks against a wider range of PCs that have various exploitable security vulnerabilities. The ransomware now shows users what looks like a legal notice with the message “Locked by MegaCortex” on the Windows lockscreen, along with two email contact addresses and an "OK" button. 

Once the MegaCortex launcher is executed, a ransom note titled "!-!_README_!-!.rtf" appears on the victim's desktops. The note threatens to change users’ Windows passwords if they don’t pay the ransom. It seems real, as rebooting the encrypted systems locks users out of their accounts.

The ransom note doesn’t just threaten to change users' Windows password, but also says that the victims’ files have been copied to another location and will be made public unless they pay up:

"We have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public. Once the transaction is finalized all of copies of data we have downloaded will be erased," the note reads, according to BleepingComputer. 

Sometimes ransomware creators make up scary warnings to get people to pay. However, at least one of the threats made by the MegaCortex creators in the ransom note turned out to be real. 

Ransomware has been on the rise again lately, especially among enterprises, where locking out an entire network could earn hackers significant payouts. As long as this continues to remain true, the ransomware threat will likely not disappear.

How MegaCortex Ransomware Works

After MegaCortex is executed on a target machine, the MegaCortex launcher extracts two .DLL files and three CMD scripts to the C:\Windows\Temp directory path. The launcher seems to be signed by a certificate belonging to an Australian company named "MURSA PTY LTD.”

The DLL files, which run via the Windows Rundll32.exe process, encrypt the victims’ files. Meanwhile the CMD scripts perform a variety of other commands, such as wiping the free space on the PC and deleting files used to encrypt the computer.

After the initial run of the files, the aforementioned "!-!_README_!-!.rtf" ransom note appears on the user's desktop.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Ninjawithagun
    "As of recently, it started automating its attacks against a wider range of PCs that have various exploitable security vulnerabilities."

    Really? What kind of security vulnerabilities? What you really mean is users are uneducated and opening suspicious emails and attachments without thought and infecting their unprotected computers. I have several PCs and MACs in my household and have never had an issue with any kind of ransomware or any other kind of malicious infection (virus, rootkit, worm, malware, etc.) because my family has been educated on the possible cyber threats on the internet and through emails. It's really quite simple and easy on educating people what NOT to do when on a computer. But that's just me and my family. I still work on customer computers that are not running any kind of security software and they purposely disabled the Windows 10 firewall because they considered it a nuisance and/or intrusive (my motto: better having basic protection than having nothing at all). Then they come to me frustrated because their computer has been infected. Yes, really.