Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Oct 2016

How to remove MIRCOP Ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Julie Splinters · Anti-malware specialist

MIRCOP ransomware – the “Anonymous” copycat

While ordinary ransomware viruses focus on attacking ordinary users’ personal information, some of them, such as MIRCOP virus (also known as Microcop or Crypt888 ransomware), act as if the hackers are the victims themselves. However, this does not lessen the destructiveness of this particular virus. It has a few distinctive features which make MIRCOP virus stand out from the majority of recent threats. For example, the virus demands an unbelievably huge ransom. In this article, we will present the vital information about this malware and the ways to remove MIRCOP virus from your computer. Keep in mind that automatic antivirus utilities such as FortectIntego come in handy when eliminating such infections from the infected devices.

The hackers behind Crypt888 ransomware seem to get a liking of the Internet hactivist group called “Anonymous.” Regarding the ransom note, it may seem that the creators of the ransomware belong to this particular organization. Nevertheless, it might as well be that virus owners only impersonate the mentioned group to pose themselves as more respectable, while their real relation to this group is highly questionable. The note goes as follows:

Hello,
You’ve stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files.
Don’t take us for fools, we know more about you than you know about yourself.
Pay us back and we won’t take further action, don’t pay and be prepared.

The screenshot of MIRCOP rasnomware

Just below the note, the hackers indicate a Bitcoin address to which the victim is demanded to send 48,48 BTC, i.e., more than 28,00.00 USD! Luckily, no financial transactions have been made to this account so far, but the drama typical to the “Anonymous” messages puts a lot of pressure on the victims. If your company‘s data has been under MIRCOP’s attack, do not consider paying up as there are absolutely no guarantees that the cyber criminals will be kind enough to return the locked data. Instead, you should focus on MIRCOP removal. In addition, you might try data recovery programs, such as PhotoRec, R-studio or go to the end of this article in order to find other data recovery recommendations. 

Speaking more about the peculiarities of this ransomware, it seems that the infection is related to another file-locking cyber threat called .Locked, which was launched a couple of months before the MIRCOP. It also used the same “Anonymous” trademark logo – Guy Fawkes’s mask – and appended a similar extension. In this case, the virus attaches the extension “Lock.” in front of the corrupted folder. For example, the files will be encoded as Lock.My Pictures or Lock.My Documents. Lastly, the cyber criminals try to pressure the users to pay the money by blackmailing as if they have stolen some money from unknown “very important” people. MIRCOP threat is surely one of the novelties among recent ransomware.

The screenshot of MIRCOP rasnomware note 2

Another interesting and concerning feature of this virus is that it does not limit itself to the file encryption and steals users login credentials from various browsers and social networking applications such as Skype. Similar techniques have already been used by other ransomware, for instance CryptXXX. This is especially useful if the malware creators decide to a blackmail the users by threatening to expose their private information to the public. Also, some of the collected information may be sensitive enough to be used to break into the victims’ bank accounts and steal money from them directly. 

How do hackers plant this ransomware on the victims’ computers?

Reportedly, Crypt888 is distributed via the malicious spam campaign. The targeted users receive a fake Thai customs declaration form. It is a Word document which contains embedded malicious macro settings. If the infected computer’s macro settings are enabled by default, the virus will use the Windows PowerShell to download and set up the virus on the computer. It is now clear that the virus downloads the infectious script from a suspicious hxxp://www[.]blushy[.]nl/u/putty.exe domain, which, interestingly enough, redirects to a Dutch online adult shop.

Later on, the virus downloads three main files which are responsible for the rest of the havoc on the computer: c.exe, responsible for stealing information as well as x.exe and y.exe files, which encode the personal files. It is quite a popular strategy among the ransomware developers to imitate official institutions to convince users into opening the infected attachments. Remain very cautious when opening and downloading attachments of such emails. Always keep in mind that the credentials of official company do not necessarily mean that the email is legitimate. In addition, you should improve the overall protection of the computer by installing a trustworthy anti-spyware program which would not only block the malware but will also decrease the number of received spam emails.

Recommendations for the MIRCOP removal: 

What you should first do when you are infected with MIRCOP virus, is to run the system scan with a malware removal application: antivirus, anti-spyware or anti-malware. If one of these programs fails to eliminate the virus, you can another. Eventually, one utility will take care of the threat and remove MIRCOP from your PC. Unfortunately, this method does not help decrypt the locked files. You might try retrieving them with the help of previously mentioned data recovery applications or reconstruct them from a backup copy. If you do not have it, make sure you make one for your future files. It is not difficult to back up the valuable information using the backup function of the operating system. Please note that this must be done only AFTER the MIRCOP removal. If you still cannot run the respective programs or launch some essential OS functions, feel free to use the recovery guidelines presented below and run the system scan once again.

5 comments

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.