A new ransomware variant known as Mimic was found by security researchers, and it uses the Windows 'Everything' file search tool's APIs to scan for files that should be encrypted.
The virus has been "deleting shadow copies, terminating several apps and services, and abusing Everything32.dll methods to query target files that are to be encrypted," according to the first observation of it in June 2022.
What is Mimic ransomware?
The ransomware payload for Mimic is contained in a password-protected package that is presented as Everything64.dll and dropped by the executable Mimic along with other components. Additionally, it contains tools for disabling valid sdel binaries and Windows Defender.
Mimic is a flexible strain of ransomware that may use command-line options to target specific files and multi-processor threads to encrypt data more quickly. The victim of a mimic ransomware attack first receives an executable, most likely via email. This executable loads four files onto the target machine, including the primary payload, auxiliary files, and tools to turn off Windows Defender.
The popular Windows filename search engine 'Everything' was created by Voidtools. The tool supports real-time updates and is lightweight and speedy, using few system resources. According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enables it to operate with little resource consumption, resulting in a more effective assault and execution.
Although Mimic is a new strain with unknown activity, the developers' use of the Conti builder with the Everything API demonstrates their skill as software engineers and their awareness of how to accomplish their objectives.