New Mimic Ransomware Uses “Everything” Windows Tool to Encrypt Files

The new Mimic ransomware searches for files targeted for encryption using the APIs of Windows’ “Everything” file search tool. The “Everything” tool was developed to offer quick searching and real-time updates with minimal resource usage. The malware appears to mostly target English and Russian-speaking users. The ransomware is equipped with numerous capabilities, including the ability to delete shadow copies, terminate multiple applications and services, and query target files to be encrypted using the Everything32.dll functions. Some of Mimic’s code is identical to the Conti ransomware, the source of which was revealed by a Ukrainian researcher in March 2022.

Details of Mimic Ransomware

Mimic ransomware attacks start with victims getting an executable, most likely through email, that extracts four files on target systems, including the primary payload, ancillary files, and tools to disable Windows Defender. Mimic is a sophisticated ransomware variant that can leverage command line arguments to narrow file targeting and can use multiple processor threads to accelerate data encryption. The new ransomware family includes various modern-day capabilities:

• Obtaining System Information
• Using the RUN key to create persistence
• Bypassing User Account Control (UAC)
• Disabling Windows Defender
• Disabling Windows Telemetry
• Anti-kill measures are being activated
• Unmounting Virtual Drives
• Process and service termination
• Disabling the sleep mode and shutting down systems
• Removing Indicators
• Preventing System Recovery

Killing processes and services attempt to disable security measures and free up critical data, including database files, allowing them to be encrypted.

The “Everything” filename search engine for Windows created by Voidtools is lightweight and fast, uses few system resources, and supports real-time updates. Mimic ransomware queries the compromised system for certain file names and extensions using Everything’s search capabilities in the form of the Everything32.dll dumped during the infection stage. Everything assists Mimic in locating files that are suitable for encryption while avoiding files that, if locked, can leave the system unbootable. Mimic-encrypted files have the “.QUIETPLACE” extension. Additionally, a ransom note is left, alerting users of the threat operator’s demands and how their data can be restored after paying a Bitcoin ransom. Mimic ransomware is a new strain with untested activities, however, its authors’ use of the Conti builder and the Everything API demonstrates that they’re capable software developers with a clear understanding of how to achieve their goals.

With new ransomware groups emerging utilizing new tactics and techniques to encrypt files on data networks, it’s important for companies to always remain ahead of the latest threat landscape and regularly update their network security infrastructure. At SpearTip, our certified engineers are continuously working 24/7/365 at our Security Operations Center monitoring companies’ data network for potential ransomware threats, including Mimic ransomware and ready to respond to incidents at a moment’s notice. Our remediation team works tirelessly to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. With our pre-breach advisory services, SpearTip will examine companies’ security postures to improve weak points in their networks. We engage in companies’ people, processes, and technology to measure the maturity of the technical environment. Our experts will provide a technical roadmap for all vulnerabilities we uncover and ensure that they have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.