Ransomware virus authors are restless when it comes to inventing new ways to extort victims for money. One of the more original new crypto viruses, dubbed MIRCOP, employs a rather unusual method to make the victim pay. The ransomware claims that the victim is the one to blame as they have stolen 48.48 Bitcoins, and now they have to return them.
|Short Description||The ransomware authors claim the victim has stolen 48.48 Bitcoins from them. The ransomware uses Guy Fawkes’ mask in the ransom note.|
|Symptoms||The ransomware will lock your files and display a ransom note. An abnormally large ransom is demanded.|
|Distribution Method||Spam Emails, Email Attachments, Enabling Malicious Macros|
|Detection Tool|| See If Your System Has Been Affected by MIRCOP ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss MIRCOP ransomware.|
MIRCOP Ransomware – Distribution Method
Despite its originality in terms of the ransom note and overall approach to the victim, MIRCOP’s distribution vector is no different than most ransomware. It’s spread via malicious documents in spam emails. The emails are most likely masqueraded as a Thai customs form for importing and exporting goods:
The victim is prompted to enable macros. If macros are enabled Windows PowerShell will be used to download and execute the payload.
MIRCOP Ransomware – Details about the Attack
The ransom note shows a figure in a Guy Fawkes mask, adopted by the Anonymous hacktivist group. One of the weirdest things about this ransomware is that it gives little instructions on how the ransom should be transferred.
The ransom note reads:
You’ve stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files.
Don’t take us for fools, we know more about you than you know about yourself.
Pay us back and we won’t take further action, don’t pay and be prepared.
As seen above, the ransomware suggests that the victim already knows what to do and how to pay the ransom. The note may be interpreted in a bolder way – cyber criminals pretend to be part of Anonymous, claiming that the targeted user has stolen from them. A Bitcoin address is left at the end of the note. No step-by-step payment instructions for crypto-currency transactions usually seen in ransom note are available. A research by TrendLabs indicates that no payments were made to this address (as of June 23).
MIRCOP ransomware demands a payment of 48.48 Bitcoins, or $28,730.70. This is, no doubt, one of the biggest ransom extortions observed to this date.
The ransomware drops three files in %Temp% folder:
- c.exe (set to steal information from the victim’s system)
- x.exe (used for file encryption)
- y.exe (used for file encryption)
MIRCOP doesn’t append a file extension as other ransomware typically do. Instead files are prepended with the string “Lock”. When files are opened, the file’s content is changed to unreadable characters, as TrendMicro points out. Common folders are also encrypted.
Besides file encryption, the crypto virus is designed to steal credentials from the victim’s applications, like Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype. CryptXXX, another well-known ransomware, has also been added information stealing capabilities.
MIRCOP Ransomware – Removal and File Restoration
As we have written multiple times, malware and ransomware authors often trick users into enabling malicious macros in spam documents. To avoid getting to this point, users should employ anti-spam measures (anti-spam software, spam filters). Another important element of an adequate protection is sustaining a strong anti-malware solution.
If it’s too late and you have already been affected by MIRCOP, paying the ransom is not a good option. For one, it’s too high and no clear payment instructions are provided. Furthermore, paying cyber criminals only monetizes their infections and gives them ground for future attacks.
So, if you’re a victim, have a look at the instructions below our article to remove MIRCOP and try and get your files back via alternative methods.