Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


MIRCOP Ransomware Virus Demands 48.48 Bitcoins, Blames the Victim

mircop-note

Ransomware virus authors are restless when it comes to inventing new ways to extort victims for money. One of the more original new crypto viruses, dubbed MIRCOP, employs a rather unusual method to make the victim pay. The ransomware claims that the victim is the one to blame as they have stolen 48.48 Bitcoins, and now they have to return them.

Update! A free decryptor has been created by AVG security analysts for Mircop Ransomware. It can be downloaded by clicking on the following web link:
Mircop Ransomware Decryptor

Threat Summary

Name MIRCOP ransomware
Type Ransomware
Short Description The ransomware authors claim the victim has stolen 48.48 Bitcoins from them. The ransomware uses Guy Fawkes’ mask in the ransom note.
Symptoms The ransomware will lock your files and display a ransom note. An abnormally large ransom is demanded.
Distribution Method Spam Emails, Email Attachments, Enabling Malicious Macros
Detection Tool See If Your System Has Been Affected by MIRCOP ransomware

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss MIRCOP ransomware.

MIRCOP Ransomware – Distribution Method

Despite its originality in terms of the ransom note and overall approach to the victim, MIRCOP’s distribution vector is no different than most ransomware. It’s spread via malicious documents in spam emails. The emails are most likely masqueraded as a Thai customs form for importing and exporting goods:mircop-attachment-trendmicro-stforum
Image Source:TrendMicro

The victim is prompted to enable macros. If macros are enabled Windows PowerShell will be used to download and execute the payload.

MIRCOP Ransomware – Details about the Attack

The ransom note shows a figure in a Guy Fawkes mask, adopted by the Anonymous hacktivist group. One of the weirdest things about this ransomware is that it gives little instructions on how the ransom should be transferred.

The ransom note reads:

Hello,
You’ve stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files.
Don’t take us for fools, we know more about you than you know about yourself.
Pay us back and we won’t take further action, don’t pay and be prepared.

As seen above, the ransomware suggests that the victim already knows what to do and how to pay the ransom. The note may be interpreted in a bolder way – cyber criminals pretend to be part of Anonymous, claiming that the targeted user has stolen from them. A Bitcoin address is left at the end of the note. No step-by-step payment instructions for crypto-currency transactions usually seen in ransom note are available. A research by TrendLabs indicates that no payments were made to this address (as of June 23).

MIRCOP ransomware demands a payment of 48.48 Bitcoins, or $28,730.70. This is, no doubt, one of the biggest ransom extortions observed to this date.

The ransomware drops three files in %Temp% folder:

  • c.exe (set to steal information from the victim’s system)
  • x.exe (used for file encryption)
  • y.exe (used for file encryption)

MIRCOP doesn’t append a file extension as other ransomware typically do. Instead files are prepended with the string “Lock”. When files are opened, the file’s content is changed to unreadable characters, as TrendMicro points out. Common folders are also encrypted.

Besides file encryption, the crypto virus is designed to steal credentials from the victim’s applications, like Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype. CryptXXX, another well-known ransomware, has also been added information stealing capabilities.

MIRCOP Ransomware – Removal and File Restoration

As we have written multiple times, malware and ransomware authors often trick users into enabling malicious macros in spam documents. To avoid getting to this point, users should employ anti-spam measures (anti-spam software, spam filters). Another important element of an adequate protection is sustaining a strong anti-malware solution.

If it’s too late and you have already been affected by MIRCOP, paying the ransom is not a good option. For one, it’s too high and no clear payment instructions are provided. Furthermore, paying cyber criminals only monetizes their infections and gives them ground for future attacks.

So, if you’re a victim, have a look at the instructions below our article to remove MIRCOP and try and get your files back via alternative methods.

Manually delete MIRCOP ransomware from your computer

Note! Substantial notification about the MIRCOP ransomware threat: Manual removal of MIRCOP ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove MIRCOP ransomware files and objects.
2. Find malicious files created by MIRCOP ransomware on your PC.
3. Fix registry entries created by MIRCOP ransomware on your PC.

Automatically remove MIRCOP ransomware by downloading an advanced anti-malware program

1. Remove MIRCOP ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by MIRCOP ransomware in the future
3. Restore files encrypted by MIRCOP ransomware
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.