Detection of a new ransomware strain targeting the Windows search engine
Security researchers at Trend Micro have just announced a new strain of ransomware that abuses the application programming interface of a third-party Windows search engine called Everything to encrypt the target system.
Named Mimic, this ransomware strain primarily targets Russian and English-speaking users. It possesses the following malicious capabilities:
- Collect system information
- Bypass User Account Control (UAC)
- Disable Windows Defender
- Disable Windows telemetry
- Enable anti-shutdown measures
- Remove the virtual drive
- Termination of processes and services
- Disable sleep mode and shutdown the system
- Remove indexes
- Prevent system recovery
A ransomware attack begins when the victim receives an executable file containing malicious code via email. When launched, this will extract four more files on the target system (shown above), including the main payload, additional files, and a tool to disable Windows Defender
Once the malicious file system is extracted, Mimic immediately exploits Everything's search capabilities using the 'Everything32.dll' file to find specific file names and extensions on the compromised system . This allows the ransomware to identify files that can be encrypted, while avoiding files that could cause the system to crash if locked. This is one of the extremely smart mechanisms of this ransomware strain.
Finally, Mimic will add the .QUIETPLACE extension to the encrypted files and display a ransom note to the victim. The malware demands a ransom to be paid in Bitcoin, calculated based on the number of encrypted files.
To protect your computer from ransomware attacks in general and Mimic in particular, always exercise caution when opening unwanted emails and attachments, and limit access to potentially malicious websites . Also, make sure your security programs are up to date so they can properly detect and remove ransomware. Finally, make it a habit to back up important files on external storage systems such as flash drives, hard drives, or the cloud. This way, even if ransomware encrypts your data, you can still easily restore everything you need from the backup.
You should read it
- Ransomware can encrypt cloud data
- General guidelines for decoding ransomware
- What is Ransomware Task Force (RTF)?
- [Infographic] 7 effective ways to protect businesses from Ransomware
- How to decode ransomware InsaneCrypt (Everbe 1.0)
- Why is Ransomware the perfect hack?
- Learn about Ransomware: 6 ransomware on computers
- Detecting two unusual versions of ransomware, shows that the world of ransomware has become diversified
May be interested
- The 5 most dangerous web application vulnerabilities and how to find themcybercriminals are always looking for creative ways to exploit weaknesses in web applications. the reasons behind their motives can vary from financial gain to personal vendetta or political agenda, but all pose significant risk to your organization.
- How do hackers sell and trade your data in the Metaverse?imagine you're strolling through a bustling digital marketplace. while you're enjoying all the sights and sounds, there's a secret underground network hidden in the metaverse.
- Microsoft found a security bug so powerful that it could shut down a power plantmicrosoft has disclosed 15 critical vulnerabilities in its toolkit intended for industrial use. although exploiting this bug will be quite difficult, the risk of insecurity is very high, causing great damage to the targets.
- Microsoft revealed the 'system crash' incident in early June was caused by a DDoS attackduring the first week of june, microsoft unexpectedly experienced a severe outage affecting most of its services including azure, outlook, and teams.
- Leaked Microsoft document claims PS5 Slim will launch this year for $399a recently leaked document has provided insight into sony's plans for the playstation 5 lineup, and notably, the leak is coming from rival microsoft itself.
- Apple releases urgent zero-day patches for iOS, iPadOS and macOS, users noteapple has just rushed to release a series of rapid security response (rsr) updates to address a new zero-day vulnerability that is being actively exploited.