MegaCortex Ransomware Ups the Ante with Threat of Publication of Stolen Data

The developers of MegaCortex ransomware have released an updated version of their file-encrypting malware. The latest version incorporates a new feature to hamper recovery without paying the ransom along with a new threat. Victims are told that if they do not pay the ransom, their files will be published online.

The latest version of MegaCortex ransomware was discovered by MalwareHunterTeam. The new version will change the Windows password of the logged in user and will display a ransom message stating that the computer has been locked by MegaCortex. This is displayed at the login screen and the user will be prevented from logging in. A new file extension is also being used for encrypted files: .m3g4c0rtx.

In contrast to many ransomware variants, MegaCortex is usually downloaded as a secondary payload by Trojans such as Emotet. Once access is gained to one computer, the attackers move laterally and infect other devices on the network. Recovery without paying the ransomware may prove difficult for many victims as the ransomware deletes Windows shadow volume copies. All free space on the C:\ drive is also wiped.

Encryption takes place using two DLL files, one to identify files to encrypt and the other to perform the encryption process using Rundll3.exe.

A ransom note is saved to the desktop that informs victims that their files have been encrypted by MegaCortex. Victims are told they can confirm that the decryptors work by emailing 2 random files from encrypted computers. Those files will be decrypted and returned as proof that the decryptors work. Victims are told that all passwords on the encrypted computers have been changed and, following payment of the ransom, the new credentials will be provided along with the decryptors.

Victims are also told that all files on the infected devices have been exfiltrated and are being stored in a secure location. The attackers threaten to make those files public if the ransom demand is not paid. The attackers claim that they will delete those files when the ransom payment is received.

No ransom amount is specified in the ransom note. Victims are required to make contact with the attackers via email to discover how much they will need to pay for the keys to decrypt their files.

What is unclear is whether files have been exfiltrated or if this is an empty threat. If it is established that data has been exfiltrated, that will no doubt spur many victims into paying the ransom rather than attempting to recover files from backups.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of