Summary:
The Elpaco ransomware, a variant of Mimic, utilizes the Everything library for file discovery and features a customizable GUI for attackers. It employs sophisticated techniques for evasion and encryption, making it challenging to recover encrypted files. The ransomware has been observed targeting multiple countries since August 2023.
#ElpacoRansomware #MimicVariant #RansomwareThreat
The Elpaco ransomware, a variant of Mimic, utilizes the Everything library for file discovery and features a customizable GUI for attackers. It employs sophisticated techniques for evasion and encryption, making it challenging to recover encrypted files. The ransomware has been observed targeting multiple countries since August 2023.
#ElpacoRansomware #MimicVariant #RansomwareThreat
Keypoints:
- Elpaco ransomware connects via RDP after a brute force attack.
- It exploits the CVE-2020-1472 vulnerability (Zerologon) for privilege escalation.
- The malware uses a 7-Zip installer mechanism, raising detection concerns.
- Elpaco abuses the Everything library for file searching and includes a GUI for customization.
- It drops files in a randomly named directory under %AppData%Local.
- The malware creates registry keys for persistence and to display a ransom note at startup.
- Elpaco encrypts files using the ChaCha20 cipher with RSA-4096 for key encryption.
- YARA rules were developed for detecting Elpaco and its console interface.
- Attacks have been observed in various countries, including the USA, Russia, and Germany.
MITRE Techniques:
- Discovery (T1135): Network Share Discovery.
- Execution (T1059.003): Command and Scripting Interpreter: Windows Command Shell.
- Execution (T1059.001): Command and Scripting Interpreter: PowerShell.
- Impact (T1486): Data Encrypted for Impact.
- Impact (T1489): Service Stop.
- Impact (T1490): Inhibit System Recovery.
- Defense evasion (T1548.002): Abuse Elevation Control Mechanism: Bypass User Account Control.
- Defense evasion (T1036): Masquerading.
- Defense evasion (T1112): Modify Registry.
- Defense evasion (T1562.004): Disable or Modify System Firewall.
- Defense evasion (T1055): Process Injection.
- Defense evasion (T1564): Hide Artifacts.
- Persistence (T1547.001): Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.
IoC:
- [File Hash] 61f73e692e9549ad8bc9b965e25d2da683d56dc1 (dropper)
- [File Hash] 8af05099986d0b105d8e38f305efe9098a9fbda6 (svhostss.exe)
Full Research: https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/