Malware News MIRCOP Ransomware Poses as Robbed Anonymous Member

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A new strain of ransomware named MIRCOP poses as a robbed member of the Anonymous hacker group, asking users to give money back or have their files locked forever.

MIRCOP is one of the non-standard ransomware families that deviate from the regular modus operandi that most ransomware variants follow these days.

MIRCOP uses threatening language in the ransom note, hoping to scare users into making a quick buck. The crooks behind this ransomware are leveraging Anonymous' reputation and using a man with a Guy Fawkes mask on for the ransom note's background. Below is MIRCOP's ransom note text:

Hello, // You've stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files. // Don't us for fools, we known more about you than you know about yourself. // Pay us back and we won't take further action, don't pay us and be prepared.

As you can see, the crooks don't mince words and take a threatening tone. The ransom note also doesn't feature any payment instructions, but only a Bitcoin wallet address.

The group expects victims to figure out how to buy Bitcoin and make the payment on their own.

MIRCOP asks for over $30,000
Additionally, another thing that stands out right away is the huge ransom payment, which is of 48.48 Bitcoin (~$31,200). Most ransomware variants never go over the $500 limit, and you rarely see ransomware asking for more than $1,000.

At the time of writing, the Bitcoin address associated with this ransomware campaign doesn't feature any transactions, meaning no victim paid the ransom note.

Trend Micro, the security firm that discovered this threat says that the group behind MIRCOP is spreading the ransomware using spam email.

MIRCOP is spread via malicious Word documents
The emails carry a Word document posing to be a Thai customs form. The document asks users to enable macro support. Trend Micro says that activating macros would start a PowerShell script that downloads, installs and executes the ransomware.

Another peculiarity is that MIRCOP doesn't append a special extension at the end of encrypted files, but adds the "Lock" prefix.

Just like the RAA ransomware that came hand in hand with the Pony infostealer, MIRCOP also features a built-in credentials-stealing routine that can collect passwords from Mozilla Firefox, Google Chrome, Opera, Filezilla, and Skype.

As always, our advice is to stay away from spam files and stop enabling macros in Word files you receive from unknown people. Keeping regular backups of your most important files is also a good idea, especially with all the nasty ransomware going around.
 

Andi.HR

Level 2
Verified
Apr 23, 2014
68
Ha,ha,ha...MIRCOP...this ransomware punch hard on your wallets!
This is actualy Mirko Cro-Cop retirement fund ransomware!!!
mirko_cro_Cop_najavaFightsite.jpg
 
Last edited:
  • Like
Reactions: Der.Reisende

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top