The new version of the MegaCortex ransomware not only encrypts files, but also changes passwords, and also threatens to disclose the victim’s information if she does not pay the ransom.
Let me remind you that this ransomware has been known to specialists for some time. It is distributed using another malware, such as Emotet, and cryptographic operators try to get to the domain controller as soon as possible in order to spread the threat to the maximum number of systems.
Edition Bleeping computer reports that the new version of MegaCortex was noticed by specialists from MalwareHunterTeam and Vitali Kremez (Vitali Kremez). Now the ransomware changes the extensions of the affected files to .m3g4c0rtx, and also uses a couple of new tricks.
So, now MegaCortex Launcher extracts two DLL files and three CMD scripts to the C: Windows Temp folder. At the same time, the launcher is signed by Sectigo certificate issued by the Australian company MURSA PTY LTD. CMD files are used to execute a number of commands, including deleting shadow copies and overwriting all free space on the C: drive.
But now MegaCortex is also bullying its victims, forcing them to pay. The fact is that a new ransom note begins with the phrase "all your account data has been changed and all files are encrypted." As the experts found out, this is not an empty threat: the malware really changes the passwords of victims from Windows accounts.
In addition, now the attackers claim that they not only encrypted, but also copied all the data of the victim, and threatened to publish it in the public domain if they did not receive the ransom. Researchers note that so far there is no evidence that the attackers are really copying somewhere the information of the victims.
Photo: Bleeping Computer