New Mimic ransomware abuses ‘Everything’ Windows search tool

Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the 'Everything' file search tool for Windows to look for files targeted for encryption.

Discovered in June 2022 by researchers at cybersecurity company Trend Micro, the malware appears to target mainly English and Russian-speaking users.

Some of the code in Mimic shares similarities with Conti ransomware, the source of which was leaked in March 2022 by a Ukrainian researcher.

Mimic attacks

Mimic ransomware attacks begin with the victim receiving an executable, presumably via email, which extracts four files on the target system, including the main payload, ancillary files, and tools to disable Windows Defender.

Mimic is a versatile ransomware strain that supports command line arguments to narrow file targeting, while it can also make use of multiple processor threads to speed up the data encryption process.

Files dropped by Mimic on the breached system
Files dropped by Mimic on the breached system (Trend Micro)

The new ransomware family features several capabilities seen in modern strains, such as:

  • Collecting system information
  • Creating persistence via the RUN key
  • Bypassing User Account Control (UAC)
  • Disabling Windows Defender
  • Disabling Windows telemetry
  • Activating anti-shutdown measures
  • Activating anti-kill measures
  • Unmounting Virtual Drives
  • Terminating processes and services
  • Disabling sleep mode and shutdown of the system
  • Removing indicators
  • Inhibiting System Recovery

Killing processes and services aim to disable protection measures and free up important data like database files, making them available for encryption.

Mimic configuration options
Mimic configuration options (Trend Micro)

Abusing Everything

"Everything" is the name of a popular filename search engine for Windows developed by Voidtools. The utility is light and quick, uses minimal system resources, and has support for real-time updates.

Mimic ransomware uses Everything’s search capabilities in the form of the ‘Everything32.dll’ dropped during the infection stage to query for specific file names and extensions oin the compromised system.

Everything helps Mimic locate files that are valid for encryption while avoiding system files that would render the system unbootable if locked.

Fucntion that utilizes the Everything API
Function that utilizes the Everything API (Trend Micro)

Files encrypted by Mimic get the “.QUIETPLACE” extension. A ransom note is also dropped, informing of the attacker's demands and how the data can be recovered after by paying a ransom in Bitcoin.

Mimic ransomware note
Mimic ransom note (Trend Micro)

Mimic is a new strain with unproven activity as of yet, but using of the Conti builder and the Everything API proves its authors are competent software developers who have a clear understanding of how they can achieve their goals.

Related Articles:

Winnti's new UNAPIMON tool hides malware from security software

The Week in Ransomware - April 19th 2024 - Attacks Ramp Up

HelloKitty ransomware rebrands, releases CD Projekt and Cisco data

United Nations agency investigates ransomware attack, data theft

FBI: Akira ransomware raked in $42 million from 250+ victims