Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MicroCop Ransomware Help & Support (Lock.* MIRCOP)


  • Please log in to reply
6 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:57 AM

Posted 28 June 2016 - 10:39 AM

Trend Micro blogged about a new ransomware dubbed MIRCOP. This ransomware encrypts files and appends "Lock." - for example, "file.jpg" would become "Lock.file.jpg".
 
The following screen is showed to the victim, suggesting that the victim has stolen 48.48BTC from a hacktivist group.
 
mircop-note.jpg
 
 
It appears this malware is dropped by a malicious spam message talking about Thai customs imports. It should also be noted that the malware appears to have code to steal credentials from popular browsers, Filezilla, and Skype. More details are available on TrendMicro's blog post: https://ssl-proxy.herokuapp.com/746228f9bc8d0b19eb08022b41ce460c73281bda/687474703a2f2f626c6f672e7472656e646d6963726f2e636f6d2f7472656e646c6162732d73656375726974792d696e74656c6c6967656e63652f66696c65732f323031362f30362f6d6972636f702d6e6f74652e6a7067/
 
Analysis is still on-going, but signs are showing this ransomware may be decryptable. If you have been hit by this malware, please post here.
 
I have released a decrypter for this ransomware, available here :)http://www.bleepingcomputer.com/download/microcop-decryptor/

Edited by Grinler, 28 July 2016 - 08:41 AM.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:57 AM

Posted 29 June 2016 - 11:30 AM

I have built a basic decrypter for this ransomware. Please download the following program and run it on the infected system after removing the malware. It will search the same directories that the ransomware encrypts and decrypt any Lock.* files - the original encrypted files are left alone in the event decryption fails.

 

https://download.bleepingcomputer.com/demonslay335/MirCopDecrypter.zip


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#3 al1963

al1963

  • Members
  • 733 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 29 June 2016 - 11:45 AM

@Demonslay335,

why did you call MircopDecryptor, instead MicrocopDecryptor? :)

-----------

Oh, sorry, this is my aberration occurred, probably from the fact that it was next to Trend Micro :)


Edited by al1963, 29 June 2016 - 11:47 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:57 AM

Posted 29 June 2016 - 11:50 AM

Just going off Trend Micro's name from their article. :) I didn't tear apart the malware itself to see any of the references, I just worked with the encryption script payload.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#5 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:06:57 PM

Posted 29 June 2016 - 12:44 PM

And why is it suddenly became MicroCop?
Where's into the ransomware is an indication of his own name?

Edited by Amigo-A, 29 June 2016 - 12:46 PM.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#6 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:06:57 PM

Posted 02 July 2016 - 02:01 PM

Understood, i find the MicroCop.lnk at startup


Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#7 death87

death87

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 01 August 2016 - 02:53 AM

Hello,

just to say that I don't know if it's a new version but I got a PC infected with this ransom and when I tried decrypting files with your program all files got decrypted except the ones that are in "Desktop" folder.

What I've done is copy all files in "Documents" folder and launched the decrypter again and all files got decrypted.

 

Sorry for my bad english and thanks again for your effort.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users