(Image credit: Shutterstock)

A new version of the MegaCortex ransomware is changing users' Windows login passwords and then threatening to making their files public if they don’t pay the ransom, as reported by BleepingComputer this week.

MegaCortex was initially an enterprise-focused ransomware that used the Emotet trojan to install itself on network computers.

As of recently, it started automating its attacks against a wider range of PCs that have various exploitable security vulnerabilities. The ransomware now shows users what looks like a legal notice with the message “Locked by MegaCortex” on the Windows lockscreen, along with two email contact addresses and an "OK" button.

Once the MegaCortex launcher is executed, a ransom note titled "!-!_README_!-!.rtf" appears on the victim's desktops. The note threatens to change users’ Windows passwords if they don’t pay the ransom. It seems real, as rebooting the encrypted systems locks users out of their accounts.

The ransom note doesn’t just threaten to change users' Windows password, but also says that the victims’ files have been copied to another location and will be made public unless they pay up:

"We have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public. Once the transaction is finalized all of copies of data we have downloaded will be erased," the note reads, according to BleepingComputer.

Sometimes ransomware creators make up scary warnings to get people to pay. However, at least one of the threats made by the MegaCortex creators in the ransom note turned out to be real.

Ransomware has been on the rise again lately, especially among enterprises, where locking out an entire network could earn hackers significant payouts. As long as this continues to remain true, the ransomware threat will likely not disappear.

How MegaCortex Ransomware Works

After MegaCortex is executed on a target machine, the MegaCortex launcher extracts two .DLL files and three CMD scripts to the C:\Windows\Temp directory path. The launcher seems to be signed by a certificate belonging to an Australian company named "MURSA PTY LTD.”

The DLL files, which run via the Windows Rundll32.exe process, encrypt the victims’ files. Meanwhile the CMD scripts perform a variety of other commands, such as wiping the free space on the PC and deleting files used to encrypt the computer.

After the initial run of the files, the aforementioned "!-!_README_!-!.rtf" ransom note appears on the user's desktop.