Rewterz Threat Alert – GandCrab or .CRAB Ransomware – Active IOCs
January 30, 2023Rewterz Threat Update – Threat Actors Uses New Golang-based ‘SwiftSlicer’ Wiper To Target Ukraine
January 30, 2023Rewterz Threat Alert – GandCrab or .CRAB Ransomware – Active IOCs
January 30, 2023Rewterz Threat Update – Threat Actors Uses New Golang-based ‘SwiftSlicer’ Wiper To Target Ukraine
January 30, 2023Severity
High
Analysis Summary
Mimic Ransomware is a new type of ransomware that has been discovered to exploit the “Everything” Application Programming Interface (API) for its encryption process.
Researchers discovered the malware in June 2022, and it appears to target mostly English and Russian-speaking people. Some of the code in Mimic resembles that of the Conti ransomware, whose sources were revealed by a Ukrainian researcher in March 2022.
Mimic is delivered as an executable that drops various binaries and a password-protected archive that contains the ransomware payload when unpacked. It also offers tools for disabling Windows Defender and legal sdel binaries.
Mimic Ransomware is a versatile strain that is able to target specific files and folders by using command-line arguments. This allows it to selectively encrypt certain types of files, making it more difficult for victims to recover their data. Additionally, Mimic Ransomware is able to make use of multiple processor threads, which speeds up the encryption process and allows it to encrypt a large number of files in a short amount of time. This makes it more effective and efficient in spreading itself and encrypting files on a targeted computer.
Mimic ransomware is capable of a wide range of things, including the following:
- Collecting system information
- Creating persistence via the RUN key
- Bypassing User Account Control (UAC)
- Disabling Windows Defender
- Disabling Windows telemetry
- Activating anti-shutdown measures
- Activating anti-kill measures
- Unmounting Virtual Drives
- Terminating processes and services
- Disabling sleep mode and shutdown of the system
- Removing indicators
- Inhibiting System Recovery
“Everything” is a popular filename search engine for Windows developed by Voidtools. It is known for its speed, efficiency, and minimal system resource usage. The utility allows users to quickly locate files and folders on their computer by searching for their names or parts of their names. It has a simple and easy-to-use interface and can be configured to perform real-time updates, meaning it will automatically update the search results as new files are added or existing files are modified. This feature makes it a useful tool for quickly locating files on a computer, but also makes it an attractive target for malware like Mimic ransomware that can leverage this feature to quickly locate and encrypt all files on the system.
Mimic ransomware is known to use the “Everything32.dll” file, which is dropped onto the compromised system during the infection stage. This file is a component of the “Everything” search engine and contains the search capabilities that the ransomware uses to query for specific file names and extensions on the compromised system.
Everything assists Mimic in locating files that are suitable for encryption while avoiding system files that, if locked, would leave the system unbootable.
Overview of the function (utilizing Everything API)
Mimic-encrypted files have the “.QUIETPLACE” extension. A ransom letter is also dropped, alerting the user of the attacker’s demands and how the data can be restored after paying a Bitcoin ransom.
Ransom note
It is true that Mimic ransomware is a new strain and its activity is yet to be confirmed. However, the fact that it makes use of the Conti builder and the Everything API does suggest that its authors are competent software developers who have a clear understanding of how to achieve their goals.
The use of the Everything API, a popular search tool for Windows, suggests that the attackers have a good understanding of how the tool works and how to leverage its capabilities to locate and encrypt files on a compromised system. This highlights the need for users to be vigilant and take preventative measures to protect their systems from such attacks.
Impact
- File and Data Encryption
Indicators of Compromise
MD5
- db21ed7d19149a615d7432aca9c8f6ca
- 6a690a6bf79312af5bebc814e99ea84a
- 1de4fcc80167b96285656de16f91c7d1
- 0fdbd95d673f8f996f85a28cf1ba9e26
- 9e9c2fc872e905817c5501d07ef946b1
- a16b58464d8874f358687c49e5d06806
- b92a26068ba3653d8ec491f9702843e7
- bc78159e7368ca429fcba29e97fc4da6
SHA-256
- 08f8ae7f25949a742c7896cb76e37fb88c6a7a32398693ec6c2b3d9b488114be
- 9c16211296f88e12538792124b62eb00830d0961e9ab24b825edb61bda8f564f
- e67d3682910cf1e7ece356860179ada8e847637a86c1e5f6898c48c956f04590
- c634378691a675acbf57e611b220e676eb19aa190f617c41a56f43ac48ae14c7
- c71ce482cf50d59c92cfb1eae560711d47600541b2835182d6e46e0de302ca6c
- 7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99
- a1eeeeae0eb365ff9a00717846c4806785d55ed20f3f5cbf71cf6710d7913c51
- b0c75e92e1fe98715f90b29475de998d0c8c50ca80ce1c141fc09d10a7b8e7ee
SHA-1
- 4137739d48996b0d9efd7bfbb5db50219ac4aeb0
- c5506f0cd5ee99472e159cc2d0940ea98b8a5194
- 51a50bdd10d159bd00218476f86709cb7add4ebb
- 2d352d5f05510164d93334c7faa235569cf1dade
- fae69333d7f41881d1e1de3b5391b9c9d236867e
- 9211f875714e8e0c9ad073eab7e16b9b0e34bf3e
- eab1f025c6034d53466a8a9428d45008282591cc
- 91a1dde54c98703695ca1eafb98dbc6fdcb88f01
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
- Maintain daily backups of all computer networks and servers.
- Enforced Access Management Policies
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Implement a multilayered strategy as it could assist organizations in protecting potential entry points into the system (endpoint, email, web, and network).