Ransomware Says Victims Stole Money

Wednesday, July 6, 2016 @ 11:07 AM gHale

There is a new ransomware release that makes it look like the victim stole money, researchers said.

The new ransomware, called MIRCOP, issues a ransom note saying the victim stole 48.48 Bitcoins and they need to return the purloined funds.

Ransomware Decrypter Available
Ransomware Masked as Rockwell Update
Crypto-Ransomware Attacks on Rise
Ransomware Similar, but Different

To add insult to injury, the ransom note displays the hooded figure associated with the hacktivist group Anonymous, and offers little instruction on how the victim should pay the ransom. The note said the victim knows how to return the money and they know who to send the ransom demand to.

At 48.48 Bitcoins, the ransom amounts to $30,000, one of highest seen, but the ransom note threatens further action will end up taken if the victim doesn’t pay, said researchers at Trend Micro.

The ransom note does mention a Bitcoin address, although it doesn’t offer details on how victims can make crypto-currency transactions. To date no payment has gone to the address.

The MIRCOP ransomware goes out via spam emails representing a Thai customs form used when importing or exporting goods.

The document requests users enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

MIRCOP drops three files in the %Temp% folder: c.exe (a routine that steals information), and x.exe and y.exe (used to encrypt files). The new threat doesn’t append encrypted files with an extension, as other ransomware families out there do, but prepends files with the string “Lock.” And also encrypts common folders.

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers said.

“Social engineering in the form of spam can lead to infection, especially when the malware employs underhanded tactics such as macro malware leveraging on PowerShell in attached files. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any,” Trend Micro researchers said.

Leave a Reply

You must be logged in to post a comment.