Mimic Ransomware

Cybersecurity researchers have released details about a previously unknown ransomware strain that takes advantage of the APIs of Everything, a Windows filename search engine developed by Voidtools. This ransomware, tracked as Mimic, was first spotted in the wild in June 2022 and appears to be targeting both Russian and English-speaking users.

The Mimic Ransomware is equipped with multiple capabilities, such as deleting the Shadow Volume Copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files for encryption. The threat is believed to have been at least partially developed from the Conti Ransomware builder that was leaked back in March 2022. Information about the threat was released in a report released by infosec experts.

Mimic Ransomware’s Infection Chain

The Mimic threat is deployed on the breached devices as an executable file that, in turn, drops multiple binaries, including a password-protected archive disguised as Everything64.dll. This archive contains the ransomware payload. It also includes tools for disabling the Windows Defender and legitimate sdel binaries.

When the Mimic Ransomware is executed, it will drop its components to the %Temp%/7zipSfx folder and extract the password-protected Everything64.dll to the same directory using 7za.exe with the command: %Temp%\7ZipSfx.000\7za.exe" x -y -p20475326413135730160 Everything64.dll. Additionally, it will drop a session key file called session.tmp to the same directory, which will be used for continuing encryption in case of interruption in the process.

Afterward, the Mimic Ransomware will copy all dropped files to '%LocalAppData%{Random GUID}\' before renaming itself to 'bestplacetolive.exe' and deleting the original files from %Temp%.

The Threatening Capabilities of the Mimic Ransomware

The Mimic Ransomware employs multiple threads and the CreateThread function to encrypt files quickly, making it difficult for security researchers to analyze. It has a wide range of capabilities, such as collecting system information, creating persistence via the RUN key, bypassing the User Account Control (UAC), disabling the Windows Defender and telemetry, activating anti-shutdown measures, terminating processes and services, interfering with the System Recovery and more.

To achieve its encryption goals, the Mimic Ransomware abuses Everything32.dll - a legitimate Windows filename search engine - to query certain file extensions and filenames to retrieve their paths, either for encryption or to exclude them from the encryption process. After encrypting the target files, the threat appends the '.QUIETPLACE' extension to their names. The threat displays multiple ransom-demanding messages - one during the start-up process, one as a text file named 'Decrypt_me.txt,' and another that is shown in a pop-up window on the device's screen.

The full text of Mimic Ransomware's demands found in the pop-up window and text file is:

'All your files have been encrypted with Our virus.
Your unique ID:

You can buy fully decryption of your files
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.

To do this:
1) Send your unique id - and max 3 files for test decryption
OUR CONTACTS
1.1)TOX messenger (fast and anonimous)
hxxps://tox.chat/download.html
Install qtox
press sing up
create your own name
Press plus
Put there my tox ID
95CC6600931403C55E64134375095128F18EDA09B4A74B9F1906C1A4124FE82E4428D42A6C65
And add me/write message
1.2)ICQ Messenger
ICQ live chat which works 24/7 - @mcdonaldsdebtzhlob
Install ICQ software on your PC here hxxps://icq.com/windows/ or on your smartphone search for "ICQ" in Appstore / Google market
Write to our ICQ @pedrolloanisimka hxxps://icq.im/mcdonaldsdebtzhlob
1.3)Skype
MCDONALDSDEBTZHLOB DECRYPTION
4)Mail (write only in critical situations bcs your email may not be delivered or get in spam) mcdonaldsdebtzhlob@onionmail.org

In the subject line please write your decryption ID: -

After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.

FAQ:
Can I get a discount?
No. The ransom amount is calculated based on the number of encrypted office files and discounts are not provided. All such messages will be automatically ignored. If you really only want some of the files, zip them and upload them somewhere. We will decode them for the price of 1 file = 1$.
What is Bitcoin?
read bitcoin.org
Where to buy bitcoins?
hxxps://www.alfa.cash/buy-crypto-with-credit-card (fastest way)
buy.coingate.com
hxxps://bitcoin.org/en/buy
hxxps://buy.moonpay.io
binance.com
or use google.com to find information where to buy it
Where is the guarantee that I will receive my files back?
The very fact that we can decrypt your random files is a guarantee. It makes no sense for us to deceive you.
How quickly will I receive the key and decryption program after payment?
As a rule, during 15 min
How does the decryption program work?
It's simple. You need to run our software. The program will automatically decrypt all encrypted files on your HDD.'