June – Month Of MIRCOP Crypto-Ransomware
Computer threats are always the discussing point of PC Security researchers and the User’s too. These days Ransomware program has become the discussion topic. This June we are noticing that there are different ransomware which perform diffrent activity. The GOOPIC ransomware show the deadline for the payment, the RAA comes with password stealing capabilities and the JIGSAW varient offer for chat support. But among all these we have discovered a unique behavior in MIRCOP Crypto-Ransomware.
MIRCOP Crypto-Ransomware is detected as RANSOM_MIRCOP.A by the different researchers and anti-spyware program. This one blames the use for ill activity and with this do not give provide any instruction on how to pay the ransom. It is supposed that associated crooks supposes that victim already know how to pay the ransom.
Its palced ransom note comes with hooded figure of a guy with Fawkes mask, and suggest that they have been victimized by the notorious hacktivist group. Also claims that user may be threaten further if fails to pay ransom.
MIRCOP Crypto-Ransomware demands ransom amount of 48.48 bitcoin which is approx US$ 28,730.70 that is really very amount demanded among the ransomware. With this the crooks leaves a bitcoin address at the end of the note. It is noticed that the other ransomware program leaves step-by-step instruction on how to make the ransom payment but MIRCOP Crypto-Ransomware does not do so. It assume that victim have knowledge regarding bitcoin transactions. The bitcoin address has been checked and yet now no paymenet has been made.
How MIRCOP Crypto-Ransomware Comes In System
MIRCOP Crypto-Ransomware get into system from spam e-mail attachment as a document. The relevent document implies to be from Thai Customs forms which is being used at the time of importing and exporting goods. The document also comes with macro enabled document which misuse Windows PowerShell for downloading and executing the ransomware. For enabling macro it has also the related text.
As the user open and enable the macro, get automatically connected with compromised link hxxp://www[.]blushy[.]nl/u/putty.exe for downloading and executing threat. The harmful website is weired enough, which links to the online adult shop that’s in Dutch.
As the ransomware get executed, instantly drops the three files in %temp% folder with name c.exe, x.exe and y.exe. The c.exe is responsible to steal the information where as x.exe and y.exe perform the encryption of files.
Instead of appending extension with encrypted with this one prepends files with string “Lock.”. The common folder also get encrypted. When the encrypted files are opened, content becomes change to unreadable characters.
From the encryption activity MIRCOP Crypto-Ransomware begins to steal confidential credentials from different programs like Mozilla Firefox, Google Chrome, Opera, Skype and Filezilla.
So, user have to be cautious before attaining any mails receiving from unknown sources.
Infected user can take advantage of free tools such as Trend Micro Lock Screen Ransomware Tool, which is able to detect and remove screen-locker ransomware. The Trend Micro Crypto-Ransomware File Decryptor Tool used to decrypt certain variants of crypto-ransomware without any need of payment or decryption key.
The following SHA1 hashes files are associated with attack: