Mimic Ransomware: What You Need To Know

What is Mimic?

Mimic is family of ransomware, first found in-the-wild in 2022. In common with many other ransomware attacks, Mimic encrypts a victim’s files, and demands a ransom payment in cryptocurrency for the release of a decryption key.

Does Mimic also steal data?

Yes, some variants of Mimic can also exfiltrate data from a user’s computers before it is encrypted – the stolen data is typically used as an additional bargaining chip by the extortionists, who may threaten to release it online or sell it to other criminals.

Where did Mimic come from?

Mimic reuses code from the Conti ransomware, which was leaked after the Conti gang publicly announced its support for Russia’s invasion of Ukraine. Unfortunately it is not possible to confidently say which part of the world Mimic originates from, but it does appear that it specifically targets English and Russian speakers.

So what makes Mimic noteworthy?

What makes Mimic particularly unusual is that it exploits the API of a legitimate Windows file search tool (“Everything” by Voidtools) to quickly locate files for encryption.

Phew! I don’t use Everything. In fact, I’ve never heard of it

Unfortunately, the Mimic ransomware doesn’t rely upon your computer having the Everything app installed. The ransomware typically comes packaged with Everything, as well as programs to impair the effectiveness of Windows Defender and Sysinternals’ Secure Delete tool, which is used to wipe backups and hinder recovery.

Nasty. What are the makers of Voidtools doing about this?

There isn’t much Voidtools can do about this. There’s nothing wrong with the Everything app – it is just being abused by the ransomware to accerate the process of encrypting files. It’s the same story for Secure Delete, which is being exploited to erase backup copies of data.

So how will I know if my computer systems have been infected with Mimic?

Files encrypted by the Mimic ransomware are given the “.QUIETPLACE” extension. You could always use a tool like Everything to quickly determine if you have any files that have that extension. 🙂 Mimic also leaves a ransom note that US $3000 worth of cryptocurrency in exchange for the decryption key. 

What can expect in the future from Mimic?

Well, a new variant of Mimic has recently been discovered called Elpaco, which has been used in attacks where malicious hackers accessed victims’ systems via RDP after successfully brute-forcing their way in. According to security experts, the attackers were able to escalate their privileges through exploitation of the “Zerologon” (CVE-2020-1472) vulnerability. 

Security researchers say that they have received reports of Mimic’s Elpaco variant from Russia and South Korea.

So the threat continues to evolve. What should I do to defend my systems?

Here are 30 ransomware prevention tips that can help prevent a ransomware infection from succeeding in your organisation.