Mimic is a ransomware family first discovered in 2022. Like other ransomware, it encrypts files on a victim’s system and demands a cryptocurrency payment for the decryption key. What makes Mimic particularly concerning is its dual approach: it not only encrypts data but also exfiltrates it beforehand. This stolen data can be used as leverage, with attackers threatening to release or sell it if the ransom is not paid.
Mimic is believed to reuse code from Conti, a well-known ransomware whose source code was leaked after the group publicly supported Russia’s invasion of Ukraine. While the exact origins of Mimic remain unclear, its operations appear to primarily target English- and Russian-speaking users.
Exploitation of Legitimate Tools
One of Mimic’s distinctive features is its exploitation of the API from Everything, a legitimate Windows file search tool developed by Voidtools. By leveraging this tool, the ransomware can quickly locate and encrypt files, increasing the efficiency of its attacks.
Importantly, Mimic does not rely on victims having Everything pre-installed. Instead, it typically packages the tool along with additional malicious programs designed to:
- Disable Windows Defender to reduce system defenses.
- Misuse Sysinternals’ Secure Delete tool to erase backups, making file recovery more difficult.
Indicators of Infection
Victims of Mimic can identify an infection by the “.QUIETPLACE” extension added to encrypted files. Additionally, the ransomware leaves a ransom note demanding $3,000 in cryptocurrency to provide the decryption key.
In many cases, victims feel compelled to pay the ransom, particularly when backups have been deleted or compromised.
The Emergence of Elpaco
A new variant of Mimic, known as Elpaco, has recently been detected. This variant is associated with attacks that involve brute-forcing Remote Desktop Protocol (RDP) credentials. Once access is gained, attackers exploit the *Zerologon* vulnerability (CVE-2020-1472) to escalate privileges and deploy the ransomware.
Reports of Elpaco infections have surfaced in countries such as Russia and South Korea, underscoring the expanding reach and evolving capabilities of this ransomware family.
The Importance of Vigilance
Although tools like Everything and Secure Delete are not inherently harmful, Mimic’s misuse of these legitimate programs highlights the need for continuous vigilance. Cybercriminals are increasingly finding ways to exploit trusted software for malicious purposes.
As Mimic and its variants continue to evolve, implementing robust cybersecurity measures—including regular system updates, strong authentication protocols, and comprehensive backup strategies—remains essential to mitigating the risk of ransomware attacks.
