MIRCOP

MIRCOP targets Windows OS and is distributed via email containing a malicious Word document designed to resemble a Thai customs form. If the document is opened and macros are enabled, a PowerShell script downloads and installs onto the machine which, in turn, installs and launches the ransomware. Once executed, MIRCOP drops the following three executable files into the %temp% folder: c.exe (steals information), x.exe, and y.exe (encrypts files). Files encrypted by MIRCOP are prepended with the word “Lock.” MIRCOP accuses the victim of stealing money, claims to know about the victim, and demands a ransom payment of 48.48 Bitcoin.

  • Trend Micro provides more information about MIRCOP here.
     
  • Bleeping Computer provides a free decryption tool for MIRCOP here.
     
  • Avast also provides a free decryption tool for MIRCOP (Crypt888), available here.
 
One example of the MIRCOP variant. Image Source: Trend Micro

One example of the MIRCOP variant. Image Source: Trend Micro