Cybersecurity firm Trend Micro has uncovered details of a new type of ransomware it detected by targeting the “Everything” Windows search tool to target English and Russian-speaking Windows users.
The malware was first observed in June 2022 and was “deleting shadow copies, shutting down multiple applications and services, and abusing Everything32.dll to query target files to be encrypted.”
The researchers also discovered that some of the code is shared with the notorious Conti ransomware, which was leaked in early 2022 after a number of high-profile attacks.
Mimic everything in Windows
Trend Micro has given the ransomware the name “Mimic”, which it claims is based on a string found in the binaries.
He notes how Mimic arrives on the affected user’s computer as an executable (although it is not confirmed if this is via email, download, etc.), which “drops multiple binaries and a password-protected archive (disguised as for Everything64.dll).
The findings reveal that the attack consists largely of legitimate files, however, one file contains malicious payloads.
Trend Micro claims that this combination of multiple threads running and the way it abuses Everything’s APIs allows it to run with minimal resource consumption, resulting in more efficient execution and attacks.
Solution? As always, the company believes a multi-layered approach will provide the best security, including applying data protection, data backup and recovery measures, and conducting regular vulnerability assessments and patching systems as soon as security updates become available.
There is also a range of software designed to prevent and manage attacks on personal and business computers for an extra layer of protection.