{
	"id": "5d089916-ec7d-420a-80a9-a69a0c485f60",
	"created_at": "2026-04-06T01:31:45.774904Z",
	"updated_at": "2026-04-10T03:20:41.0135Z",
	"deleted_at": null,
	"sha1_hash": "e39461f4207a0a291156c24a05ddf05bafb30c8a",
	"title": "New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2724148,
	"plain_text": "New Megacortex Ransomware Changes Windows Passwords, Threatens\r\nto Publish Data\r\nBy Lawrence Abrams\r\nPublished: 2019-11-05 · Archived: 2026-04-06 01:09:59 UTC\r\nA new version of the MegaCortex Ransomware has been discovered that not only encrypts your files, but now changes the\r\nlogged in user's password and threatens to publish the victim's files if they do not pay the ransom.\r\nFor those not familiar with MegaCortex, it is a targeted ransomware installed through network access provided by trojans\r\nsuch as Emotet. Once the MegaCortex actors gain access, they then push the ransomware out to machines on the network\r\nvia an active directory controller or post-exploitation kits.\r\nSignificant changes in new MegaCortex version\r\nIn a new sample of the ransomware discovered by MalwareHunterTeam, reverse engineered by Vitali Kremez, and further\r\nanalyzed by BleepingComputer, we see a new version of MegaCortex that has substantial changes from previous variants.\r\nhttps://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThe most obvious change seen by victims is the new .m3g4c0rtx extension being used by the ransomware as shown below.\r\nMegaCortex Encrypted Files\r\nIn addition, MegaCortex will now configure a legal notice on the encrypted machine so that it displays a basic \"Locked by\r\nMegaCortex\" ransom message with email contacts before a user even logs in.\r\nMegaCortex Legal Notice\r\nBehind the scenes, quite a bit has changed\r\nWhen the main MegaCortex launcher is executed, it will extract two DLL files and three CMD scripts to C:\\Windows\\Temp.\r\nThis launcher is currently signed with a Sectigo certificate for an Australia company named \"MURSA PTY LTD\".\r\nhttps://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nPage 3 of 7\n\nC:\\Windows\\Temp Folder\r\nThese CMD files will execute a variety of commands that removes shadow volume copies, uses the Cipher command to\r\nwipe all free space on the C:\\ drive, sets the Legal Notice, and then cleans up all the files used to encrypt the computer.\r\nFirst CMD Script\r\nKremez told BleepingComputer in conversations that the two DLL files are used to encrypt the files on the computer. One\r\nDLL file is a file iterator that looks for file to encrypt and the other DLL will be used to encrypt the file.\r\nThese DLLs are not injected into any processes, but rather run via Rundll32.exe.\r\nWhen done, victims will find a ransom note on the desktop titled !-!_README_!-!.rtf that contains some interesting\r\ncomments that at first we dismissed as idle threats.\r\nhttps://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nPage 4 of 7\n\nMegaCortex Ransom Note\r\nAfter further analysis, we determined that at least one of the threats is true; the ransomware does indeed change the victim's\r\npassword for their Windows account.\r\nMegaCortex changes the victim's Windows password\r\nIt is not uncommon for ransomware developers to make threats that are not carried out in order to scare victims into paying. \r\nDue to this, when we saw that the ransom note stated that a victim's credentials have been changed, we dismissed it.\r\n\"All of your user credentials have been changed and your files have been encrypted.\"\r\nAfter testing the ransomware and rebooting the encrypted computer, I discovered that I was unable to login to my account.\r\nFurther analysis of the code by Kremez confirmed that MegaCortex is indeed changing the password for the victim's\r\nWindows account.\r\nIt does this by executing the net user command when the ransomware is executed.\r\nNet user command\r\nThis also explains why the attackers added a legal notice that is shown at the login prompt as the user will no longer be able\r\nto log in to access their desktop.\r\nhttps://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nPage 5 of 7\n\nThreatens to publish victim's data\r\nIn addition to the proven claims of changing user credentials, the attackers have also changed the ransom note to state that\r\nvictim's data has been copied to a secure location.\r\nThey then threaten to make this data public if a victim does not pay the ransom.\r\n\"We have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will\r\nhave no choice but to make this data public.\r\nOnce the transaction is finalized all of copies of data we have downloaded will be erased.\"\r\nIt is not confirmed if attackers have actually copied victims' files, but this threat should not be dismissed and victim's may\r\nwant to confirm that the attackers actually have their files as stated when communicating with them.\r\nIf the MegaCortex actors are actually copying data, though, victims will now have to treat these attacks as a data breach\r\ngoing forward instead of just a ransomware infection.\r\nThis will ultimately add a whole new layer of complexity and risks to these types of attacks.\r\nUpdate 11/7/19: Sectigo told BleepingComputer that they have revoked the certificate used by this malware on November\r\n5th at 4:20 PM ET.\r\nIOCs:\r\nHashes:\r\nca0d1e770ca8b36f6945a707be7ff1588c3df2fd47031aa471792a1480b8dd53 [Launcher]\r\n5ff14746232a1d17e44c7d095e2ec15ede4bd01f35ae72cc36c2596274327af9 [DLL]\r\ne362d6217aff55572dc79158fae0ac729f52c1fc5356af4612890b9bd84fbcde [DLL]\r\nAssociated files:\r\n!-!_README_!-!.rtf\r\nRansom note text:\r\nYour company's network has been breached and infected with MegaCortex Malware.\r\nAll of your user credentials have been changed and your files have been encrypted.\r\nWe ensure that the only way to retrieve your data swiftly and securely is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\nTo confirm that our decryption software works email to us 2 files from random computers.\r\nYou will receive further instructions after you send us the test files.\r\nAfter receiving payment we will provide you with the decryptor including its full source code and credentials to your comp\r\nWe have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will\r\nOnce the transaction is finalized all of copies of data we have downloaded will be erased.\r\nWe will provide any assistance if needed.\r\nContact emails:\r\nredacted@redacted.com\r\nor\r\nredacted@redacted.com\r\nhttps://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nhttps://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/"
	],
	"report_names": [
		"new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775439105,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e39461f4207a0a291156c24a05ddf05bafb30c8a.pdf",
		"text": "https://archive.orkl.eu/e39461f4207a0a291156c24a05ddf05bafb30c8a.txt",
		"img": "https://archive.orkl.eu/e39461f4207a0a291156c24a05ddf05bafb30c8a.jpg"
	}
}