Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MicroCop Ransomware Help & Support (Lock.* MIRCOP)


  • Please log in to reply
6 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 AM

Posted 28 June 2016 - 10:39 AM

Trend Micro blogged about a new ransomware dubbed MIRCOP. This ransomware encrypts files and appends "Lock." - for example, "file.jpg" would become "Lock.file.jpg".
 
The following screen is showed to the victim, suggesting that the victim has stolen 48.48BTC from a hacktivist group.
 
mircop-note.jpg
 
 
It appears this malware is dropped by a malicious spam message talking about Thai customs imports. It should also be noted that the malware appears to have code to steal credentials from popular browsers, Filezilla, and Skype. More details are available on TrendMicro's blog post: https://ssl-proxy-updated.herokuapp.com/746228f9bc8d0b19eb08022b41ce460c73281bda/687474703a2f2f626c6f672e7472656e646d6963726f2e636f6d2f7472656e646c6162732d73656375726974792d696e74656c6c6967656e63652f66696c65732f323031362f30362f6d6972636f702d6e6f74652e6a7067/
 
Analysis is still on-going, but signs are showing this ransomware may be decryptable. If you have been hit by this malware, please post here.
 
I have released a decrypter for this ransomware, available here :)http://www.bleepingcomputer.com/download/microcop-decryptor/

Edited by Grinler, 28 July 2016 - 08:41 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 AM

Posted 29 June 2016 - 11:30 AM

I have built a basic decrypter for this ransomware. Please download the following program and run it on the infected system after removing the malware. It will search the same directories that the ransomware encrypts and decrypt any Lock.* files - the original encrypted files are left alone in the event decryption fails.

 

https://download.bleepingcomputer.com/demonslay335/MirCopDecrypter.zip


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 29 June 2016 - 11:45 AM

@Demonslay335,

why did you call MircopDecryptor, instead MicrocopDecryptor? :)

-----------

Oh, sorry, this is my aberration occurred, probably from the fact that it was next to Trend Micro :)


Edited by al1963, 29 June 2016 - 11:47 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 AM

Posted 29 June 2016 - 11:50 AM

Just going off Trend Micro's name from their article. :) I didn't tear apart the malware itself to see any of the references, I just worked with the encryption script payload.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:28 AM

Posted 29 June 2016 - 12:44 PM

And why is it suddenly became MicroCop?
Where's into the ransomware is an indication of his own name?

Edited by Amigo-A, 29 June 2016 - 12:46 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#6 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:28 AM

Posted 02 July 2016 - 02:01 PM

Understood, i find the MicroCop.lnk at startup


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#7 death87

death87

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 01 August 2016 - 02:53 AM

Hello,

just to say that I don't know if it's a new version but I got a PC infected with this ransom and when I tried decrypting files with your program all files got decrypted except the ones that are in "Desktop" folder.

What I've done is copy all files in "Documents" folder and launched the decrypter again and all files got decrypted.

 

Sorry for my bad english and thanks again for your effort.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users