Ransomware behavior has been the talk of the town. We have seen oddly long ransom payment deadlines from GOOPIC, password stealing capabilities from RAA, chat support from the latest JIGSAW variant, and all these are just incidents discovered this June. But among these new behaviors, we came across a unique behavior in MIRCOP crypto-ransomware.
Detected as RANSOM_MIRCOP.A, MIRCOP places the blame on users and does not give victims instructions on how to pay the ransom. In fact, it assumes that victims already know how to pay them back.
Figure 1. MIRCOP ransom note
The emphasis on paying them back paints the situation that the victims already know who to send the ransom demand to. The whole note, which displays a hooded figure in a Guy Fawkes mask, suggests that victims may have “stolen” from a notorious hacktivist group and threatens further actions if the victims are unable to pay.
MIRCOP demands users to pay the ransom amount of 48.48 bitcoins (US$ 28,730.70 as of June 23, 2016), which is among the highest demands we have seen. And at the end of the note, the author leaves a bitcoin address. Unlike other ransomware notes where victims are instructed step-by-step on how to make the payment, MIRCOP suggests that the victim is familiar with making bitcoin transactions. We checked the address and as of this writing, no payments have yet been made.
Figure 2. Bitcoin payment address
MIRCOP comes from a spam with an attached document. The document purports to be a Thai customs form used when importing or exporting goods. The document is also a macro enabled document that abuses Windows PowerShell to execute the download of the ransomware. There is also text within the document to enable the macro.
Figure 3. Malicious attachment
After the user opens the file and enables the macro, the user will connect to a compromised link hxxp://www[.]blushy[.]nl/u/putty.exe. to download and execute the malware. The compromised website, weird enough, links to an online adult shop that’s in Dutch.
Once the ransomware is executed, it drops three files in %temp%. c.exe is a routine that steals information, while x.exe and y.exe encrypts files.
Figure 4. MIRCOP payload
Instead of appending encrypted files with an extension, MIRCOP prepends files with the string “Lock.”. It also encrypts common folders. When files are opened, the file’s content is changed to unreadable characters.
Figure 5. Appended files and sample infected file
Apart from its encryption routine, MIRCOP is also capable of stealing credentials from programs such as Mozilla Firefox, Google Chrome, Opera, Filezilla, and Skype.
Social engineering in the form of spam can lead to infection, especially when the malware employs underhanded tactics such as macro malware leveraging on PowerShell in attached files. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any.
Trend Micro Solutions
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware.
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well asTrend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Files with the following SHA1 hashes are associated with this attack:
With additional analysis by Ruby Santos