Security researchers at Trend Micro have discovered a new ransomware strain that abuses the application programming interfaces of a third-party Windows search engine tool called Everything.
The ransomware, which Trend Micro named Mimic, targets Russian and English-speaking users. It has the following capabilities:
- Collecting system information
- Bypassing User Account Control (UAC)
- Disabling Windows Defender
- Disabling Windows telemetry
- Activating anti-shutdown measures
- Activating anti-kill measures
- Unmounting virtual drives
- Terminating processes and services
- Disabling sleep mode and shutdown of the system
- Removing indicators
- Preventing system recovery
The ransomware attack starts when a victim receives an executable file likely via email. When launched, the file then extracts four more files on the target system (shown above), including the primary payload, supplementary files, and tools to disable Windows Defender.
After the files are extracted, Mimic exploits Everything’s search capabilities by using the "Everything32.dll’ file to look for specific file names and extensions on the compromised system. This enables the ransomware to identify encryptable files and avoid those that can render the system unusable if locked.
Finally, Mimic will append the .QUIETPLACE extension to the encrypted files and display a ransom note. The ransom demand, which must be paid in Bitcoin, is calculated based on the number of encrypted files.
To protect your computer from ransomware attacks, always be cautious when opening unsolicited emails and attachments, and refrain from visiting potentially malicious sites. Make sure as well that your security programs are always updated so they can properly detect and remove ransomware. Finally, make it a habit to back up your files on an external storage system like a flash drive, hard drive, or the cloud. This way, even if ransomware encrypts your files, you can easily recover from a backup.
Source: Trend Micro