CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

MIRCOP Ransomware Claims to be Victim, Demands Payback

Ransomware authors use various techniques to encourage victims to pay a ransom, and the actors behind a new threat called MIRCOP are employing an unusual one: the ransom note claims that the victim stole 48.48 Bitcoins. 

Ransomware authors use various techniques to encourage victims to pay a ransom, and the actors behind a new threat called MIRCOP are employing an unusual one: the ransom note claims that the victim stole 48.48 Bitcoins. 

What’s more, the ransom note displays a hooded figure in a Guy Fawkes mask, which has been long associated with notorious hacktivist group Anonymous, and offers little instruction on how the victim should pay the ransom. Instead, it suggests that the victim knows how to return the money and that they know who to send the ransom demand to.

At 48.48 Bitcoins, the ransom amounts to around $30,000, one of highest seen, but the ransom note threatens that further action will be taken if the victim doesn’t pay, researchers at Trend Micro reveal. The ransom note, however, does mention a Bitcoin address, although it doesn’t offer details on how victims can make crypto-currency transactions. However, no payment has been made to the mentioned address as of now.

The MIRCOP ransomware is distributed as a malicious document in spam emails, supposedly representing a Thai customs form used when importing or exporting goods. The document requests users to enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

MIRCOP drops three files in the %Temp% folder: c.exe (a routine that steals information), and x.exe and y.exe (both used to encrypt files). The new threat doesn’t append encrypted files with an extension, as other ransomware families out there do, but prepends files with the string “Lock.” And also encrypts common folders.

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers discovered. In this regard, MIRCOP is not the first ransomware to pack info-stealing capabilities, given that CryptXXX has had the feature for over two months now.

“Social engineering in the form of spam can lead to infection, especially when the malware employs underhanded tactics such as macro malware leveraging on PowerShell in attached files. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any,” Trend Micro researchers note.

Since the beginning of this year, ransomware has emerged as a prevalent threat, and a recent report from Kaspersky revealed that the number of users attacked with cryptoware increased 5.5 times over the past couple of years. At the moment, Locky appears to be the top ransomware out there, courtesy of massive infection campaigns powered by the Necurs botnet.

Advertisement. Scroll to continue reading.

Related: Bart Ransomware Doesn’t Require C&C Server to Encrypt Files

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.