MIRCOP Ransomware Virus Demands 48.48 Bitcoins, Blames the Victim

MIRCOP Ransomware Virus Demands 48.48 Bitcoins, Blames the Victim


Ransomware virus authors are restless when it comes to inventing new ways to extort victims for money. One of the more original new crypto viruses, dubbed MIRCOP, employs a rather unusual method to make the victim pay. The ransomware claims that the victim is the one to blame as they have stolen 48.48 Bitcoins, and now they have to return them.

Update! A free decryptor has been created by AVG security analysts for Mircop Ransomware. It can be downloaded by clicking on the following web link:
Mircop Ransomware Decryptor

Threat Summary

NameMIRCOP ransomware
Short DescriptionThe ransomware authors claim the victim has stolen 48.48 Bitcoins from them. The ransomware uses Guy Fawkes’ mask in the ransom note.
SymptomsThe ransomware will lock your files and display a ransom note. An abnormally large ransom is demanded.
Distribution MethodSpam Emails, Email Attachments, Enabling Malicious Macros
Detection Tool See If Your System Has Been Affected by MIRCOP ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MIRCOP ransomware.

MIRCOP Ransomware – Distribution Method

Despite its originality in terms of the ransom note and overall approach to the victim, MIRCOP’s distribution vector is no different than most ransomware. It’s spread via malicious documents in spam emails. The emails are most likely masqueraded as a Thai customs form for importing and exporting goods:mircop-attachment-trendmicro-stforum
Image Source:TrendMicro

The victim is prompted to enable macros. If macros are enabled Windows PowerShell will be used to download and execute the payload.

MIRCOP Ransomware – Details about the Attack

The ransom note shows a figure in a Guy Fawkes mask, adopted by the Anonymous hacktivist group. One of the weirdest things about this ransomware is that it gives little instructions on how the ransom should be transferred.

The ransom note reads:

You’ve stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files.
Don’t take us for fools, we know more about you than you know about yourself.
Pay us back and we won’t take further action, don’t pay and be prepared.

As seen above, the ransomware suggests that the victim already knows what to do and how to pay the ransom. The note may be interpreted in a bolder way – cyber criminals pretend to be part of Anonymous, claiming that the targeted user has stolen from them. A Bitcoin address is left at the end of the note. No step-by-step payment instructions for crypto-currency transactions usually seen in ransom note are available. A research by TrendLabs indicates that no payments were made to this address (as of June 23).

MIRCOP ransomware demands a payment of 48.48 Bitcoins, or $28,730.70. This is, no doubt, one of the biggest ransom extortions observed to this date.

The ransomware drops three files in %Temp% folder:

  • c.exe (set to steal information from the victim’s system)
  • x.exe (used for file encryption)
  • y.exe (used for file encryption)

MIRCOP doesn’t append a file extension as other ransomware typically do. Instead files are prepended with the string “Lock”. When files are opened, the file’s content is changed to unreadable characters, as TrendMicro points out. Common folders are also encrypted.

Besides file encryption, the crypto virus is designed to steal credentials from the victim’s applications, like Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype. CryptXXX, another well-known ransomware, has also been added information stealing capabilities.

MIRCOP Ransomware – Removal and File Restoration

As we have written multiple times, malware and ransomware authors often trick users into enabling malicious macros in spam documents. To avoid getting to this point, users should employ anti-spam measures (anti-spam software, spam filters). Another important element of an adequate protection is sustaining a strong anti-malware solution.

If it’s too late and you have already been affected by MIRCOP, paying the ransom is not a good option. For one, it’s too high and no clear payment instructions are provided. Furthermore, paying cyber criminals only monetizes their infections and gives them ground for future attacks.

So, if you’re a victim, have a look at the instructions below our article to remove MIRCOP and try and get your files back via alternative methods.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share