New Mimic Ransomware Abuses Everything APIs for its Encryption Process

guest · Jan 27, 2023

New ransomware strain exploits Windows search tool Everything
By Justin Luna @_justinluna - January 27, 2023

Security researchers at Trend Micro have discovered a new ransomware strain that abuses the application programming interfaces of a third-party Windows search engine tool called Everything.
Click to expand...

The ransomware attack starts when a victim receives an executable file likely via email. When launched, the file then extracts four more files on the target system (shown above), including the primary payload, supplementary files, and tools to disable Windows Defender.

After the files are extracted, Mimic exploits Everything’s search capabilities by using the 'Everything32.dll’ file to look for specific file names and extensions on the compromised system. This enables the ransomware to identify encryptable files and avoid those that can render the system unusable if locked.
Click to expand...

Finally, Mimic will append the .QUIETPLACE extension to the encrypted files and display a ransom note. The ransom demand, which must be paid in Bitcoin, is calculated based on the number of encrypted files.
Click to expand...

Trend Micro: New Mimic Ransomware Abuses Everything APIs for its Encryption Process

By Nathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, Nathaniel Gregory Ragasa - January 26, 2023
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
Click to expand...

Rasheed187 · Jan 28, 2023

I've read the article but they didn't explain how this Mimic ransomware is capable of disabling Win Defender. Would have been interesting to know. And I suppose if the user has downloaded this tool via attachment, they would most likely click on yes anyway, so UAC bypass wouldn't even be necessary.

The ransomware, which Trend Micro named Mimic, targets Russian and English-speaking users. It has the following capabilities:

Collecting system information

Bypassing User Account Control (UAC)

Disabling Windows Defender

Click to expand...

Log in or Sign up

New Mimic Ransomware Abuses Everything APIs for its Encryption Process

guest Guest

Rasheed187 Registered Member

Log in or Sign up

New Mimic Ransomware Abuses Everything APIs for its Encryption Process

guest Guest

Rasheed187 Registered Member

Useful Searches