Severity scale:  
  (99/100)

MIRCOP Ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - -   Also known as Crypt888 | Type: Ransomware

MIRCOP ransomware – the “Anonymous” copycat

While ordinary ransomware viruses focus on attacking ordinary users’ personal information, some of them, such as MIRCOP virus (also known as Microcop or Crypt888 ransomware), act as if the hackers are the victims themselves. However, this does not lessen the destructiveness of this particular virus. It has a few distinctive features which make MIRCOP virus stand out from the majority of recent threats. For example, the virus demands an unbelievably huge ransom. In this article, we will present the vital information about this malware and the ways to remove MIRCOP virus from your computer. Keep in mind that automatic antivirus utilities such as Reimage come in handy when eliminating such infections from the infected devices.

Questions about MIRCOP Ransomware virus

The hackers behind Crypt888 ransomware seem to get a liking of the Internet hactivist group called “Anonymous.” Regarding the ransom note, it may seem that the creators of the ransomware belong to this particular organization. Nevertheless, it might as well be that virus owners only impersonate the mentioned group to pose themselves as more respectable, while their real relation to this group is highly questionable. The note goes as follows:

Hello,
You’ve stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files.
Don’t take us for fools, we know more about you than you know about yourself.
Pay us back and we won’t take further action, don’t pay and be prepared.

The screenshot of MIRCOP rasnomware

Just below the note, the hackers indicate a Bitcoin address to which the victim is demanded to send 48,48 BTC, i.e., more than 28,00.00 USD! Luckily, no financial transactions have been made to this account so far, but the drama typical to the “Anonymous” messages puts a lot of pressure on the victims. If your company‘s data has been under MIRCOP’s attack, do not consider paying up as there are absolutely no guarantees that the cyber criminals will be kind enough to return the locked data. Instead, you should focus on MIRCOP removal. In addition, you might try data recovery programs, such as PhotoRec, R-studio or go to the end of this article in order to find other data recovery recommendations. 

Speaking more about the peculiarities of this ransomware, it seems that the infection is related to another file-locking cyber threat called .Locked, which was launched a couple of months before the MIRCOP. It also used the same “Anonymous” trademark logo – Guy Fawkes’s mask – and appended a similar extension. In this case, the virus attaches the extension “Lock.” in front of the corrupted folder. For example, the files will be encoded as Lock.My Pictures or Lock.My Documents. Lastly, the cyber criminals try to pressure the users to pay the money by blackmailing as if they have stolen some money from unknown “very important” people. MIRCOP threat is surely one of the novelties among recent ransomware.

The screenshot of MIRCOP rasnomware note 2

Another interesting and concerning feature of this virus is that it does not limit itself to the file encryption and steals users login credentials from various browsers and social networking applications such as Skype. Similar techniques have already been used by other ransomware, for instance CryptXXX. This is especially useful if the malware creators decide to a blackmail the users by threatening to expose their private information to the public. Also, some of the collected information may be sensitive enough to be used to break into the victims’ bank accounts and steal money from them directly. 

How do hackers plant this ransomware on the victims’ computers?

Reportedly, Crypt888 is distributed via the malicious spam campaign. The targeted users receive a fake Thai customs declaration form. It is a Word document which contains embedded malicious macro settings. If the infected computer’s macro settings are enabled by default, the virus will use the Windows PowerShell to download and set up the virus on the computer. It is now clear that the virus downloads the infectious script from a suspicious hxxp://www[.]blushy[.]nl/u/putty.exe domain, which, interestingly enough, redirects to a Dutch online adult shop.

Later on, the virus downloads three main files which are responsible for the rest of the havoc on the computer: c.exe, responsible for stealing information as well as x.exe and y.exe files, which encode the personal files. It is quite a popular strategy among the ransomware developers to imitate official institutions to convince users into opening the infected attachments. Remain very cautious when opening and downloading attachments of such emails. Always keep in mind that the credentials of official company do not necessarily mean that the email is legitimate. In addition, you should improve the overall protection of the computer by installing a trustworthy anti-spyware program which would not only block the malware but will also decrease the number of received spam emails.

Recommendations for the MIRCOP removal: 

What you should first do when you are infected with MIRCOP virus, is to run the system scan with a malware removal application: antivirus, anti-spyware or anti-malware. If one of these programs fails to eliminate the virus, you can another. Eventually, one utility will take care of the threat and remove MIRCOP from your PC. Unfortunately, this method does not help decrypt the locked files. You might try retrieving them with the help of previously mentioned data recovery applications or reconstruct them from a backup copy. If you do not have it, make sure you make one for your future files. It is not difficult to back up the valuable information using the backup function of the operating system. Please note that this must be done only AFTER the MIRCOP removal. If you still cannot run the respective programs or launch some essential OS functions, feel free to use the recovery guidelines presented below and run the system scan once again.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove MIRCOP Ransomware virus, follow these steps:

Remove MIRCOP Ransomware using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove MIRCOP Ransomware

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete MIRCOP Ransomware removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove MIRCOP Ransomware using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of MIRCOP Ransomware. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that MIRCOP Ransomware removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove MIRCOP Ransomware from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Though this virus has been a mystery to the virus experts for quite some time, finally, there is a breakthrough in the virus decryption. AVG has released Crypt888 decryptor which can be downloaded from the official AVG website or by clicking the previously indicated link. If, however, your device is infected with some new virus variant and the decryption tool is incapable of recovering your files, you can try out the instructions below to do that.   

If your files are encrypted by MIRCOP Ransomware, you can use several methods to restore them:

Data Recovery Pro instructions for MIRCOP data recovery

Data Recovery Pro is one of the data recovery software designed to recover accidentally lost data, but may as well be used to bypass the MIRCOP encryption and retrieve your files. You can try this method out using these instructions below:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by MIRCOP Ransomware ransomware;
  • Restore them.

How to use Windows Previous Versions feature for the data recovery after MIRCOP encryption

Windows Previous Versions feature is rather easy to use. All the steps you should take are provided below. However, you should not forget that this feature will only be functional in case System restore function has been enabled pre-infiltration. If it wasn’t you can skip the further instructions and move on to other data recovery methods.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Instructions for data recovery using ShadowExplorer

ShadowExplorer can be a useful feature for restoring data locked by less complex ransomware. Though it may not work for MIRCOP in particular, we still recommend you to try it out and perhaps you will manage to get at least a few of your personal files back.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Crypt888 decryptor method

The best and most guaranteed way of recovering your data is by using the Crypt888 decryptor. Just download the program and follow the further instructions provided by its developers.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from MIRCOP Ransomware and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions