Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mimic Attacks. Show all posts
Stolen Data
Conti Ransomware Cyber Security data security Mimic Mimic Attacks Ransomware attack Ransomware families Ransomwares Stolen Data

Understanding Mimic Ransomware: Features, Threats, and Noteworthy Exploits

 


Mimic is a ransomware family first discovered in 2022. Like other ransomware, it encrypts files on a victim’s system and demands a cryptocurrency payment for the decryption key. What makes Mimic particularly concerning is its dual approach: it not only encrypts data but also exfiltrates it beforehand. This stolen data can be used as leverage, with attackers threatening to release or sell it if the ransom is not paid. 
 
Mimic is believed to reuse code from Conti, a well-known ransomware whose source code was leaked after the group publicly supported Russia’s invasion of Ukraine. While the exact origins of Mimic remain unclear, its operations appear to primarily target English- and Russian-speaking users.   
 

Exploitation of Legitimate Tools  

 
One of Mimic’s distinctive features is its exploitation of the API from Everything, a legitimate Windows file search tool developed by Voidtools. By leveraging this tool, the ransomware can quickly locate and encrypt files, increasing the efficiency of its attacks.   
 
Importantly, Mimic does not rely on victims having Everything pre-installed. Instead, it typically packages the tool along with additional malicious programs designed to:   
 
  • Disable Windows Defender to reduce system defenses. 
  • Misuse Sysinternals’ Secure Delete tool to erase backups, making file recovery more difficult. 

Indicators of Infection  

 
Victims of Mimic can identify an infection by the “.QUIETPLACE” extension added to encrypted files. Additionally, the ransomware leaves a ransom note demanding $3,000 in cryptocurrency to provide the decryption key.   
 
In many cases, victims feel compelled to pay the ransom, particularly when backups have been deleted or compromised.   
 

The Emergence of Elpaco   

 
A new variant of Mimic, known as Elpaco, has recently been detected. This variant is associated with attacks that involve brute-forcing Remote Desktop Protocol (RDP) credentials. Once access is gained, attackers exploit the *Zerologon* vulnerability (CVE-2020-1472) to escalate privileges and deploy the ransomware.   
 
Reports of Elpaco infections have surfaced in countries such as Russia and South Korea, underscoring the expanding reach and evolving capabilities of this ransomware family.   
 

The Importance of Vigilance 

 
Although tools like Everything and Secure Delete are not inherently harmful, Mimic’s misuse of these legitimate programs highlights the need for continuous vigilance. Cybercriminals are increasingly finding ways to exploit trusted software for malicious purposes. 
 
As Mimic and its variants continue to evolve, implementing robust cybersecurity measures—including regular system updates, strong authentication protocols, and comprehensive backup strategies—remains essential to mitigating the risk of ransomware attacks.
Read more »
Windows search tool
API malware Mimic Mimic Attacks Ransomware Trend Micro Windows Windows search tool

Mimic Attacks: Ransomware Hijacking Windows ‘Everything’ Search Tool


Trend Micro has recently revealed details of the new type of ransomware, apparently targeting the APIs ‘Everything’ search tool to attack English and Russian-speaking Windows users. 

The malware was discovered by the security firm researchers in June 2022 and was named ‘Mimic.’ According to the researchers, the malware has been “deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.” 

The researchers also found that some of the code in Mimic shared similarities with the infamous Conti ransomware, which was leaked in early 2022 following a number of high-profile incidents. 

Mimic Attacks 

Mimic ransomware attack begin with targeted victims receiving executable, most likely via an email, that retrieves four files from the target system, including the main payload, ancillary files, and tools to disable Windows Defender. 

The researchers’ findings reveal that the ransomware attack largely constituted legitimate files, of which one file contains the malicious payloads. Mimic is a sophisticated strain of ransomware that may use command-line options to target specific files and multiple processor threads to encrypt data more rapidly. 

According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enable it to operate with minimum resource consumption, leading to a more effective execution and attack. 

What Could be the Solution? 

One of the best measures advised to the companies is by implementing a multilayered approach, which will provide the most efficient security, including data protection, backup and recovery measures. 

Utilizing a range of software that are designed to prevent, mitigate and combat the attacks on personal and business computers will add another layer of protection to the systems. 

Moreover, conducting regular vulnerability assessment and patching those vulnerabilities in the systems as soon as security updates become available will additionally aid in combating potential ransomware attack.  

Read more »
Subscribe to: Posts (Atom)