The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Mimic Ransomware

Feb 7, 2023 12:25:08 PM / by The Hivemind

MIMICRelated Families: Conti

Executive Summary

Trend Micro recently reported on Mimic ransomware, a ransomware family that abuses Everything APIs.

Key Takeaways

  • Mimic ransomware abuses Everything APIs. 
  • Everything is a legitimate tool developed by Voidtools.
  • Mimic has multiple components, including the legitimate 7zip application, the legitimate Everything application, and a password-protected archive containing the malicious payload. 
  • Some of Mimic’s code appears to be based on the Conti builder leaked in early 2022. 

What is Mimic?

Mimic ransomware is a ransomware family that abuses Everything APIs. Everything is a legitimate Windows filename search engine that allows quick searching and real-time updates using minimal resources. Everything was developed by Voidtools.

Mimic ransomware was active in the wild as early as June 2022 and is known to target English and Russian-speaking users. It has the ability to delete shadow copies, terminate applications and services, and abuse Everything32.dll functions. Mimic is contained in an executable that drops multiple binaries, including a password-protected archive disguised as Everything64.dll. This archive contains the ransomware payload. Mimic uses multiple threads with the CreateThread function for faster encryption, making analysis more difficult.

Mimic ransomware components include the following:

7za.exe - a legitimate 7zip file, which is used to extract the payload

Everything.exe and Everything32.dll - files associated with the legitimate Everything application

Everything64.dll - a password-protected archive containing malicious payloads

Mimic includes a variety of capabilities, such as a collection of system information, creating persistence, bypassing UAC, disabling Windows Defender and telemetry, activating anti-shutdown and anti-kill measures, unmounting virtual drives, terminating services and processes, disabling sleep mode and system shutdown, removing indicators, and inhibiting System Recovery.

According to Trend Micro, some of the code Mimic is based on shares similarities with the Conti ransomware builder leaked in March 2022.


PolySwarm has multiple samples associated with Mimic.












You can use the following CLI command to search for all Mimic samples in our portal:

$ polyswarm link list -f Mimic

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, Mimic, Everything.exe, Conti

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts