New MegaCortex Ransomware Variant Changes Victims' Windows Passwords

New MegaCortex Ransomware Variant Changes Victims' Windows Passwords (Nov 5, 2019)

Researchers at MalwareHunterTeam working with reverse engineer Vitali Kremez, have identified a new variant of MegaCortex ransomware that has the ability to change a victim’s Window password. Executing the net user command, the ransomware is able to change the victim’s password on execution. Before the user is able to log in, the ransom note displays stating “All of your user credentials have been changed and your files have been encrypted” also claiming to have downloaded the victim’s data that will be released publicly if the ransom is not met. Researchers have not been able to determine the veracity of this claim.

Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.