Trend Micro’s security researchers have Discovered a new ransomware strain. which exploits the application programming interface of a third-party Windows search engine tool called Everything.
The ransomware, named Mimic by Trend Micro, targets Russian- and English-speaking users. It has the following capabilities:
- Collecting system information
- Bypassing User Account Control (UAC).
- Disabling Windows Defender
- Disabling Windows Telemetry
- Enabling anti-shutdown measures
- Enabling anti-killing measures
- Unmounting virtual drives
- Termination of processes and services
- Disabling sleep mode and shutting down the system
- Remove hints
- Stop system restore
A ransomware attack begins when a victim receives a potentially executable file via email. When launched, the file then extracts four more files on the target system (shown above), including the primary payload, supplementary files, and tools to disable Windows Defender.
After extracting the files, Mimic uses the ‘Everything32.dll’ file to take advantage of Everything’s search capabilities to find specific file names and extensions on the compromised system. This enables ransomware to identify and avoid potentially encrypted files that could render the system unusable if locked.
Finally, Mimic will append the .QUIETPLACE extension to encrypted files and display a ransom note. The ransom demand, which must be paid in Bitcoin, is calculated based on the number of encrypted files.
To protect your computer from ransomware attacks, always be careful when opening unsolicited emails and attachments, and avoid visiting potentially harmful sites. Also make sure your security programs are always updated so they can properly detect and remove ransomware. Finally, make a habit of backing up your files to an external storage system such as a flash drive, hard drive, or the cloud. That way, even if ransomware encrypts your files, you can easily recover from backups.
Source: Trend Micro