Researchers have uncovered a new malicious entity called the Mimic ransomware that could leverage the APIs of the ‘Everything’ file search tool for Windows to scour targeted files for encryption.
The newly discovered malware has seemingly targeted English and Russian-speaking individuals.
Emails are the primary vector of the Mimic ransomware to start its attack.
According to investigations, the Mimic ransomware attacks could start with a target that receives an executable from an email. The executable acquires four files on an infected system, including the primary payload, ancillary files, and kits for deactivating Windows Defender.
Mimic is a resourceful ransomware entity that aids command-line arguments to specify file targeting. It could also use multiple processor threats to hasten its data encryption process.
This new ransomware strain also sports multiple modern-day capabilities that could be seen in other families, such as collecting information, establishing persistence, bypassing UAC, disabling Windows Defender and telemetry, activating anti-shutdown and anti-kill measures, unmounting virtual drives, removing indicators, inhibiting system recovery, terminating processes and services, and more.
The termination of processes and services is for disabling protection measures and releasing essential data, such as database files, to make them available for encryption.
The ransomware is also notorious for exploiting ‘Everything’, a well-known filename search engine for Windows. This Window utility tool is light and fast, uses small portions of system resources, and supports real-time updates.
Mimic utilises Everything’s search feature through a dll coded as Everything32[.]dll. This malicious dll is dropped by the actors during the infection phase of the attack to query for file names and extensions in the infected system.
The Windows search tool aids the ransomware in locating available files for encryption and avoiding system files that would make the targeted network unbootable once locked.
Subsequently, encrypted files will receive the [.]QUIETPLACE extension. Moreover, the actors will drop a ransom note to inform the victim what the Mimic operators demand and how they could recover their data by paying a ransom through Bitcoin.
The Mimic ransomware authors clearly show that they are a group of sophisticated developers since they used the Conti builder and exploited the Everything API. Therefore, researchers should watch out for this new malware as it could pose a massive threat soon.
