Published January 30, 2023
Author: Ash Khan

 

Cybersecurity website researchers discovered Mimic, a new ransomware strain. This malware searches for files targeted for encryption using the APIs of Windows’ ‘Everything’ file search tool.

 

Furthermore, the virus was discovered in June 2022 by online security website researchers. Seemingly it targets mostly English and Russian-speaking people.

 

Some Researchers claim that some of Mimic’s code is identical to the Conti ransomware. Its source was revealed in March 2022 by a Ukrainian researcher.

Conti is a very destructive ransomware because of the rapidity with which it encrypts data and spreads to other computers. It was first noticed in 2020, and it is suspected that a Russian cybercrime gang is behind it.

 

Interestingly enough the US government announced a reward of up to $10 million for information on the Conti ransomware group in early May 2022. 

 

Attacks by mimic

Mimic ransomware attack starts with the victim getting an executable, most likely over email. It extracts four files on the target machine, including the primary payload, ancillary files, and tools to disable Windows Defender.

 

Furthermore, mimic is a sophisticated ransomware strain. Moreover, it can leverage command line options to restrict file targeting and multiple processor threads to accelerate data encryption. This new ransomware family has various modern-day capabilities, such as:

 

  • Obtaining system information
  • Using the RUN key to create persistence.
  • Getting Around User Account Control (UAC)
  • Turning off Windows Defender
  • Turning off Windows telemetry
  • Anti-shutdown mechanisms are being activated.
  • Anti-kill mechanisms are being activated.
  • Mounting and Unmounting Virtual Drives
  • Process and service termination
  • Disabling the sleep mode and shutting off the system
  • Taking away indications
  • preventing system recovery

Furthermore, it is capable of killing processes and services that attempt to deactivate security mechanisms. It can also free up vital data such as database files, rendering them available for encryption.

 

Abusing Everything

 

“Everything” is the name of a popular filename search engine for Windows created by Voidtools. The tool is lightweight and fast, consumes little system resources, and supports real-time updates.

 

Mimic ransomware searches the infected system for certain file names and extensions. It can achieve this using Everything’s search capabilities in the form of the ‘Everything32.dll’ dumped during the infection stage. Moreover, Everything assists Mimic in locating files that are suitable for encryption while avoiding system files that, if locked, would leave the system unbootable.

 

Mimic-encrypted files have the “.QUIETPLACE” suffix. A ransom letter is also dropped, alerting the user of the attacker’s demands. Additionally, victims receive instructions on how they can restore data after paying ransom in Bitcoin.

Mimic is a novel strain with untested activity as of yet. However, its authors’ use of the Conti builder. Moreover, the Everything API demonstrates that they are capable developers with a good knowledge of how to achieve their objectives.