MIRCOP Ransomware - How To Remove?


MIRCOP ransomware (or RANSOM_MIRCOP.A) just like the notorious CryptXXX ransomware acts as a spyware. Thus, not only does it encrypt data but also steals the victim’s sensitive information (e.g. login credentials for bank accounts, etc.). The graphics of its ransom note alludes to the Anonymous group of hacktivists who are well-known for their DDoS (distributed denial-of-service) attacks on religious, corporate and government websites. To be more precise, MIRCOP file encoder uses their trademark logo – Guy Fawkes mask. But, it is important to note that these hackers must not be linked to this group of hactivists.

About MIRCOP Ransomware

When the ransomware is activated, the victim is redirected to the following domain – hxxp://www[.]blushy[.]nl/u/putty.exe. This site, in turn, reroutes to an online adult shop having Dutch IP address. Then, MIRCOP encoder abuses Windows PowerShell to download and execute 3 files: c.exe, which thieves the data, x.exe and y.exe files, which encrypt the data. All 3 of these files are dropped into %Temp% folder. Another peculiarity of this cryptomalware is the manner it appends the extension. This malicious program prepend the ‘‘Lock.’’ extension to every filename of a corrupted file. For instance, ‘‘file.doc’’ becomes ‘‘Lock.file.doc’’. ‘‘Lock.’’ extension is added to the names of the folders containing encrypted files. For instance, My Pictures folder is renamed into Lock.My Pictures. For this reason and because it uses the logo of Anonymous, MIRCOP ransomware is associated with .Locked ransomware which was released a couple of months ago.

The ransom demanded by the developers of MIRCOP ransomware is incredibly hefty. It is 48.48 BTC (Bitcoins) which equals to 31,521.50 USD at the moment of writing this article. In fact, it is probably the highest payment required by ransomware hackers ever. However, no contact e-mail or paying instructions are provided in the note, just the bitcoin wallet address:

You’ve stollen 48,48 BTC from the wrong people, please be so kind to return them and we will return your files.
Don’t take us for fools, we know more about you than you know about yourself.
Pay us back and we won’t take further action, don’t pay and be prepared.
[Bitcoin wallet address]

Even if you have such money on your bank account, just do not haste to search for ways how to make a transaction. It gives an impression that the hackers are aware themselves that they are asking for a way to large sum of money. And that the only purpose of them is to threaten you. It seems that a drama queen speaks behind that mask under the hood ridiculously stating that you have stolen their money and that they know things about you that you have never even dreamt of. These cyber crooks are not very specific they just imply that something frightening and fatal will happen if you do not pay them back.

How is MIRCOP Ransomware Spread?

MIRCOP trojan virus is distributed via spam e-mails. In more detail, the spam e-mail encloses a fake Thai customs declaration form regarding the import or export of goods. Namely, the attachment is a .doc file which has macro settings embedded. Once, it is opened and macro settings are enabled, the ransomware starts running on one’s computer.

How to Decrypt Files Encrypted by MIRCOP Ransomware?

The decryption tool by Avast is available here. You can also use Shadow Volume Copies, if you have been running Shadow Volume Service. Make use of some external storage services or devices, such as external hard drives or services like Google Drive, One Drive, Cloud Service, etc. If you have not used any of the previously mentioned tools, make sure to do that in the future. Data recovery software, for example, PhotoRec, Recuva, R-Studio, etc. is also an option. But before applying any of the latter tools run a full system scan with Spyhunter, Reimage or Malwarebytes to remove the ransomware and any of its leftovers. Manual deletion can also be performed but it aims at the sole elimination of the encrypting virus. The instructions for manual removal of MIRCOP encoder are supplied below.

How to recover MIRCOP Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Crypt888 has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of MicroCop

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to MIRCOP Ransomware. You can check other tools here.

Step 3. Restore Crypt888 affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually MicroCop tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover MIRCOP Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.


About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
June 29, 2016 01:58, January 4, 2017 03:19

Leave a Reply

Your email address will not be published. Required fields are marked *