Unfortunately, a new ransomware is discovered almost every day now, so its not possible to write about every one of them. Sometimes, though, I see ones that are so ridiculous and offensive that I need to share it.  It is even better, when it's a ransomware that can be decrypted.

Recently, researcher Mosh shared his analysis on a new ransomware called MicroCop that S!Ri and TrendMicro discovered. When installed, this ransomware will encrypt your data using DES encryption and prepend all of the encrypted files with the Locked. string.  This means that a file called test.jpg will be renamed after it is encrypted to Locked.test.jpg.

It will then change the victim's wallpaper to a background that shows a picture of Anonymous stating the victim stole 48.48 bitcoins from them and they want it back before they will decrypt the files.

MicroCop Wallpaper & Ransom Note
CaptioMicroCop Wallpaper & Ransom Note

Obviously this is not from Anonymous and is an outrageous demand, as 48 bitcoins is equivalent to $32,708.64 USD. Even more ridiculous is these people leave the ransom note, but provide no way for the victim to contact them to arrange payment or receive the decryption.

Making ransomware pisses me off to begin with, but to demand such an outrageous sum and not even provide a way for the user to actually get their files back is as low as you can get. Thankfully, Michael Gillespie was able to create a decryptor that allows a victim to get their files back for free.

Instructions on how a victim can use this decryptor, and get their files back, can be found in our . So anyone who affected by this ransomware, just download and run the decryptor and you will be back to normal.

Files associated with the MicroCop Ransomware

%Temp%\8x8x8
%Temp%\PassW8.txt
%Temp%\Sqlite.dll
%Temp%\VCGTUY.vBS
%Temp%\wl.jpg
%Temp%\x.exe
%Temp%\y.exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk

Registry entries associated with the MicroCop Ransomware

HKCU\Control Panel\Desktop\Wallpaper	"%UserProfile%\AppData\Local\Temp\wl.jpg"