Detection of a new ransomware strain targeting the Windows search engine
Security researchers at Trend Micro have just announced a new strain of ransomware that abuses the application programming interface of a third-party Windows search engine called Everything to encrypt the target system.
Named Mimic, this ransomware strain primarily targets Russian and English-speaking users. It possesses the following malicious capabilities:
- Collect system information
- Bypass User Account Control (UAC)
- Disable Windows Defender
- Disable Windows telemetry
- Enable anti-shutdown measures
- Remove the virtual drive
- Termination of processes and services
- Disable sleep mode and shutdown the system
- Remove indexes
- Prevent system recovery
A ransomware attack begins when the victim receives an executable file containing malicious code via email. When launched, this will extract four more files on the target system (shown above), including the main payload, additional files, and a tool to disable Windows Defender
Once the malicious file system is extracted, Mimic immediately exploits Everything's search capabilities using the 'Everything32.dll' file to find specific file names and extensions on the compromised system . This allows the ransomware to identify files that can be encrypted, while avoiding files that could cause the system to crash if locked. This is one of the extremely smart mechanisms of this ransomware strain.
Finally, Mimic will add the .QUIETPLACE extension to the encrypted files and display a ransom note to the victim. The malware demands a ransom to be paid in Bitcoin, calculated based on the number of encrypted files.
To protect your computer from ransomware attacks in general and Mimic in particular, always exercise caution when opening unwanted emails and attachments, and limit access to potentially malicious websites . Also, make sure your security programs are up to date so they can properly detect and remove ransomware. Finally, make it a habit to back up important files on external storage systems such as flash drives, hard drives, or the cloud. This way, even if ransomware encrypts your data, you can still easily restore everything you need from the backup.
You should read it
- 7 kinds of ransomware you didn't expect
- List of the 3 most dangerous and scary Ransomware viruses
- Ransomware can encrypt cloud data
- General guidelines for decoding ransomware
- What is Ransomware Task Force (RTF)?
- [Infographic] 7 effective ways to protect businesses from Ransomware
- How to decode ransomware InsaneCrypt (Everbe 1.0)
- Why is Ransomware the perfect hack?
- Learn about Ransomware: 6 ransomware on computers
- Detecting two unusual versions of ransomware, shows that the world of ransomware has become diversified
- What is Fargo Ransomware? How to avoid?
- Warning: Quantum Ransomware is being rapidly deployed in lightning attacks
Maybe you are interested
Dangerous 'Helldown' Ransomware Warning Expands to Linux and VMware
Detecting a new ransomware strain that specializes in stealing login information from the Chrome browser
What is extortionware? How is it different from Ransomware?
New ransomware appears attacking Windows operating system
Difference between Cyber Extortion and Ransomware
How to enable ransomware restrictions on Windows