Related Families: Conti
Trend Micro recently reported on Mimic ransomware, a ransomware family that abuses Everything APIs.
- Mimic ransomware abuses Everything APIs.
- Everything is a legitimate tool developed by Voidtools.
- Mimic has multiple components, including the legitimate 7zip application, the legitimate Everything application, and a password-protected archive containing the malicious payload.
- Some of Mimic’s code appears to be based on the Conti builder leaked in early 2022.
What is Mimic?
Mimic ransomware is a ransomware family that abuses Everything APIs. Everything is a legitimate Windows filename search engine that allows quick searching and real-time updates using minimal resources. Everything was developed by Voidtools.
Mimic ransomware was active in the wild as early as June 2022 and is known to target English and Russian-speaking users. It has the ability to delete shadow copies, terminate applications and services, and abuse Everything32.dll functions. Mimic is contained in an executable that drops multiple binaries, including a password-protected archive disguised as Everything64.dll. This archive contains the ransomware payload. Mimic uses multiple threads with the CreateThread function for faster encryption, making analysis more difficult.
Mimic ransomware components include the following:
7za.exe - a legitimate 7zip file, which is used to extract the payload
Everything.exe and Everything32.dll - files associated with the legitimate Everything application
Everything64.dll - a password-protected archive containing malicious payloads
Mimic includes a variety of capabilities, such as a collection of system information, creating persistence, bypassing UAC, disabling Windows Defender and telemetry, activating anti-shutdown and anti-kill measures, unmounting virtual drives, terminating services and processes, disabling sleep mode and system shutdown, removing indicators, and inhibiting System Recovery.
According to Trend Micro, some of the code Mimic is based on shares similarities with the Conti ransomware builder leaked in March 2022.
PolySwarm has multiple samples associated with Mimic.
You can use the following CLI command to search for all Mimic samples in our portal:
$ polyswarm link list -f Mimic
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports