Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. This ransomware (which we named Mimic based on a string we found in its binaries), was first observed in the wild in June 2022 and targets Russian and English-speaking users. It is equipped with multiple capabilities such as deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted…
Mimic arrives as an executable that drops multiple binaries and a password-protected archive (disguised as Everything64.dll) which when extracted, contains the ransomware payload. It also includes tools that are used for turning off Windows defender and legitimate sdel binaries. ..
Mimic ransomware possesses a plethora of capabilities, including the following:
Collecting system information
Creating persistence via the RUN key
Bypassing User Account Control (UAC)
Disabling Windows Defender
Disabling Windows telemetry
Activating anti-shutdown measures
Activating anti-kill measures
Unmounting Virtual Drives
Terminating processes and services
Disabling sleep mode and shutdown of the system
Removing indicators
Inhibiting System Recovery…
* Everything is my only search tool.
