Appearing on a growing number of corporate networks during May 2019, MegaCortex ransomware seems to have evolved. It can now change the password of the current user session on Windows machines, and threatens to have downloaded all the victim's data and made public if the ransom is not paid.

MegaCortex Ransomware is now able to change Windows Password

The most obvious change in the virus update is the .m3g4c0rtx extension used by MegaCortex during an attack. (Photo credit: @malwrhunterteam)

In May, security researchers at Sophos detected ransomware MegaCortex on a large number of corporate networks. Although the volume of these attacks has not been specified, they have occurred in Italy, in the United States, and also in France.

A short time ago, a little update was discovered by the MalwareHunterTeam where the ransomware would not only encrypt the files but can now change the password of the logged user and threat to publish his files if he/she does not not pay the required ransom amount.

Most of the time, hackers blocking access to the contents of a computer, leave a message to their victims to give them details on how to contact them for ransom, etc. Hackers often exaggerate threats to push people who have their infected computers to pay. The researchers therefore initially thought that the password change threats of the Windows session was not true. However, once the encrypted computer rebooted, it was indeed impossible to reconnect to the account.


To do the job, the ransomware executes the "net user" command when it is installed on the victim's terminal. This also explains why attackers have added a legal notice that appears at the login prompt since the user will not be able to log his computer anymore.

Another threat to the compromised computer victim is : "We have also downloaded your data in a secure place. If, unfortunately, we do not reach an agreement, we will have no choice but to make this data public", can read the victim in the message left on his computer after infection.

It has not been proven that attackers could actually copy and download data from a computer. But the threat is not to be dismissed, and it may be relevant to ensure that the hackers did get a copy of the blocked files before really worrying about it.