Morphisecβs investigation into the Mimic ransomware version 7.5 highlights its aggressive tactics, focusing on initial access through Clipper malware and multifaceted techniques for lateral movement and data exfiltration. As a threat primarily affecting the healthcare sector, the report underscores the evolving nature of ransomware attacks and calls for enhanced detection and mitigation strategies.
Affected: Healthcare sector
Affected: Healthcare sector
Keypoints :
- Mimic ransomware variant 7.5 was investigated, revealing advanced tactics and techniques.
- Initial access was gained through previously deployed Clipper malware used for credential harvesting.
- Attackers utilized Remote Desktop Protocol (RDP) for lateral movement and compromised multiple servers.
- Tools like Process Hacker and Mimikatz were employed to escalate privileges and maintain persistence.
- The ransomware communicated with Edge browsers to exfiltrate data to Mega.nz.
- The ransomware strategy included clearing shadow copies and modifying boot settings to impair recovery options.
- Enhanced anti-forensic tactics and process tampering techniques were employed to obscure detection.
MITRE Techniques :
- T1078 β Valid Accounts: Access gained through RDP using legitimate accounts.
- T1068 β Exploit Elevation of Privilege: Tools like Mimikatz used for credential dumping.
- T1010 β Application Layer Protocol: Utilizing HTTP for data exfiltration via Edge browsers.
- T1210 β Exploitation of Remote Services: RDP exploited for lateral movement.
- T1071 β Application Layer Protocol: Ransomware communicates with Mega.nz for data upload.
- T1070.002 β Indicator Removal on Host: Event log and shadow copy clearing to hinder incident recovery.
Indicator of Compromise :
- [MD5] systemsg.exe 5B2274DAAABB293187B0A75C15247474511524850384CE2CFA5F0BA01344BEA5
- [MD5] gui40.exe 276A3503E2EE9476CD173D3305019D98FABC928EDE3975A85CC5A5F4AAB43C79
- [MD5] Everything64.dll 34C2BC2DA9704DC42D0BCEC16988C94AA67B73BCE995C9C447D57D4A3F78B21B
- [IP] 48.210.215[.]154 β Initial access IP used during the attack.
- [IP] 178.131.100[.]23 β C2 server associated with the attack.
Full Story: https://www.morphisec.com/blog/elenor-corp-mimic-ransomware-variant/