Trend Micro researchers uncovered Mimic, a new ransomware that leverages the Everything tool’s APIs to locate files for encryption and operates with multiple defense-evading capabilities. The malware appears linked to Conti-inspired tooling and dropped components, including a password-protected archive, while heavily abusing legitimate binaries to speed its encryption process. #MimicRansomware #ContiBuilder
Keypoints
- Mimic is a ransomware discovered by Trend Micro that uses Everything’s APIs to identify target files for encryption.
- It drops multiple binaries and a password-protected archive disguised as Everything64.dll, along with tools to disable defenses and facilitate encryption.
- The payload includes a session key (session.tmp) to resume encryption if interrupted and renames itself to bestplacetolive.exe.
- Mimic uses command-line extraction (7za.exe) and leverages Everything32.dll APIs to locate files, appending the .QUIETPLACE extension to encrypted files.
- Several capabilities mirror Conti components, including network discovery, share enumeration, port scanning, UAC bypass, and defense evasion.
- The campaign shows a multi-threaded approach to speed encryption and indicates code similarities with the leaked Conti ransomware builder.
- Recommendations emphasize data protection, backups, vulnerability management, and multilayer defenses, with Trend Micro offerings highlighted as mitigations.
MITRE Techniques
- [T1562.001] Impair Defenses – Disables Windows Defender and telemetry. Quote: (‘Disabling Windows Defender’ and ‘Disabling Windows telemetry’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Creates persistence via the RUN key. Quote: (‘Creating persistence via the RUN key’)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Uses a command to extract the payload with 7za.exe. Quote: (‘%Temp%7ZipSfx.0007za.exe” x -y -p20475326413135730160 Everything64.dll’)
- [T1490] Inhibit System Recovery – Deletes shadow copies to hinder recovery. Quote: (‘deleting shadow copies’)
- [T1082] System Information Discovery – Collects system information. Quote: (‘Collecting system information’)
- [T1135] Network Share Discovery – NetShareEnum enumerates shares on gathered IPs. Quote: (’employs the NetShareEnum function to enumerate all shares on the gathered IP addresses’)
- [T1046] Network Service Discovery – Port scanning is based on the Conti builder. Quote: (‘port scanning is also based on the Conti builder’)
Indicators of Compromise
- [File] Dropped and used components – 7za.exe, Everything64.dll, Everything.exe, Everything32.dll, session.tmp, bestplacetolive.exe. Context: dropped during arrival and encryption process.