Mimic Ransomware Abuses Windows Search

A new strain of ransomware named Mimic has been uncovered recently by security experts at Trend Micro in June 2022. Mimic takes advantage of the APIs of the ‘Everything’ a file search tool for Windows to search for files to encrypt.

Users who speak English or Russian appear to be the main targets of the malware. There are similarities between some of the code in Mimic and the code found in Conti, whose source was leaked to a Ukrainian researcher in March 2022.

Mimic is a sophisticated malware, with a range of abilities including the elimination of shadow copies, shutting down various applications and services, and exploiting the Everything32[.]dll functions to identify files for encryption.

Mimic Ransomware Components

The initial stage of a Mimic ransomware attack involves the victim receiving an executable, likely through email. On the target system, the executable extracts a total of four files, which include: 

  • The main payload
  • Ancillary files
  • Tools to disable Windows Defender
Mimic Ransomware Abuses Windows Engine

Mimic is a highly adaptable strain of ransomware that can target specific files using command-line arguments and it has the ability to encrypt data at a faster rate by utilizing multiple processor threads.

Here below we have mentioned the components of Mimic:-

  • 7za[.]exe: Legitimate 7zip file that is used to extract the payload
  • Everything[.]exe: Legitimate Everything application
  • Everything32[.]dll: Legitimate Everything application
  • Everything64[.]dll: Password-protected archive that contains the malicious payloads

Capabilities of Mimic

There are several different capabilities that the new ransomware family possesses that are seen in modern strains of ransomware. 

Here below we have mentioned all the capabilities of the Mimic ransomware:-

  • Collecting system information
  • Creating persistence via the RUN key
  • Bypassing User Account Control (UAC)
  • Disabling Windows Defender
  • Disabling Windows telemetry
  • Activating anti-shutdown measures
  • Activating anti-kill measures
  • Unmounting Virtual Drives
  • Terminating processes and services
  • Disabling sleep mode and shutdown of the system
  • Removing indicators
  • Inhibiting System Recovery

Mimic ransomware uses a tactic of shutting down processes and services to remove any security barriers and gain access to crucial information.

Mimic malware employs the search function of ‘Everything’ by utilizing the ‘Everything32[.]dll’ file dropped during the initial infection, to scan the infected system for specific file names and types.

The use of ‘Everything’ allows Mimic to identify files that are suitable for encryption, without risking the locking of system files that could cause the system to become unbootable.

Mimic’s algorithm meticulously scours through all files, precisely identifying those that are suitable for encryption while skillfully bypassing any system files that could potentially cause the system to fail during startup.

Here below we have presented the Mimic ransomware config:-

In the case of encrypted files, the file extension of the encrypted files is “.QUIETPLACE”. 

The perpetrator leaves a message as a ransom note, demanding payment in Bitcoin in exchange for the safe return of the locked data, with instructions on how to proceed with the transaction.

The emergence of Mimic, a novel variant, has yet to be fully evaluated in terms of its actions, however, the utilization of the Conti builder and the Everything API demonstrates that the creators possess a proficient level of software development expertise and a solid comprehension of their objectives.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.