A new ransomware family dubbed Mimic has surfaced in the threat landscape. The ransomware abuses the APIs of a legitimate Everything tool for the encryption process.
About the Mimic ransomware
As per Trend Micro researchers, the Mimic ransomware was first observed in the wild in June 2022 and targets Russian and English-speaking users.
Some of the code in Mimic is borrowed from Conti ransomware, the source code of which was leaked in March 2022.
Furthermore, the malware makes use of multiple processor threads and Everything’s APIs to speed up the data encryption process.
Various capabilities of the ransomware include collecting system information, bypassing User Account Control (UAC), disabling Windows Defender and Windows telemetry, and inhibiting System Recovery, among others.
Modus Operandi
Mimic ransomware attacks begin with the victim receiving an executable, presumably via email, which extracts four files on the target system.
The files include the main payload, ancillary files, and tools to disable Windows Defender.
During the infection stage, the ransomware uses Everything’s search capabilities in the form of Everything32.dll to query for specific file names and extensions on the compromised system.
Everything helps Mimic locate files that are valid for encryption while avoiding system files that would render the system unbootable if locked.
The files encrypted by Mimic are appended with the .QUIETPLACE extension.
Conclusion
Mimic is a new strain of ransomware that comes with bundled capabilities. Researchers believe that attacks by this cybercriminal group could do worse in the future. as attackers are capitalizing on a leaked builder for Conti ransomware.