Ransomware crooks take a different approach to extorting cash from their victims, use threatening messages

Jun 26, 2016 21:30 GMT  ·  By

A new strain of ransomware named MIRCOP poses as a robbed member of the Anonymous hacker group, asking users to give money back or have their files locked forever.

MIRCOP is one of the non-standard ransomware families that deviate from the regular modus operandi most ransomware variants follow these days.

MIRCOP uses threatening language in the ransom note, hoping to scare users and thus make a quick buck. The crooks behind this ransomware are leveraging Anonymous' reputation and using a man with a Guy Fawkes mask on for the ransom note's background. Below is MIRCOP's ransom note text:

  Hello, // You've stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files. // Don't us for fools, we known more about you than you know about yourself. // Pay us back and we won't take further action, don't pay us and be prepared.  

As you can see, the crooks don't mince words and take a threatening tone. The ransom note also doesn't feature any payment instructions, but only a Bitcoin wallet address.

The group expects victims to figure out how to buy Bitcoin and make the payment on their own.

MIRCOP asks for over $30,000

Additionally, another thing that stands out right away is the huge ransom payment, which is of 48.48 Bitcoin (~$31,200). Most ransomware variants never go over the $500 limit, and you rarely see ransomware asking for more than $1,000.

At the time of writing, the Bitcoin address associated with this ransomware campaign doesn't feature any transactions, meaning no victim paid the ransom note.

Trend Micro, the security firm that discovered this threat says that the group behind MIRCOP is spreading the ransomware using spam email.

MIRCOP is spread via malicious Word documents

The emails carry a Word document posing as a Thai customs form, which asks users to enable macro support. Trend Micro says that activating macros would start a PowerShell script that downloads, installs and executes the ransomware.

Another peculiarity is that MIRCOP doesn't append a special extension at the end of encrypted files, but adds the "Lock" prefix.

Just like the RAA ransomware that came hand in hand with the Pony infostealer, MIRCOP also features a built-in credentials-stealing routine that can collect passwords from Mozilla Firefox, Google Chrome, Opera, Filezilla, and Skype.

As always, our advice is to stay away from spam files and stop enabling macros in Word files you receive from unknown people. Keeping regular backups of your most important files is also a good idea, especially with all the nasty ransomware going around.

Files encrypted with the MIRCOP ransomware
Files encrypted with the MIRCOP ransomware

Photo Gallery (2 Images)

MIRCOP ransom note
Files encrypted with the MIRCOP ransomware
Open gallery