New Mimic Ransomware Abuses Everything Paid to Speed Encryption

The Mimic ransomware, according to Trend Micro, includes bundled capabilities and speed routines by combining threads and abusing APIs for encryption.

Posted on January 27, 2023
Lee Clark, RH-ISAC Cyber Threat Intel Analyst & Writer

Context

On January 26, 2023, Trend Micro researchers reported the technical details of a new ransomware they dubbed “Mimic” they observed in June of 2022 targeting English and Russian-speaking users.

Technical Details

According to Trend Micro researchers, the campaign delivers an executable that drops multiple binaries and an archive containing the payload.

Reportedly, the key distinguishing feature of Mimic is its use of Everything APIs to speed up the encryption process. Everything is a Windows file name search engine known for quick real-time updates and minimal resource usage. Additional capabilities include:

Mitigation Options

Trend Micro researchers provided the following recommendations for defending against Mimic:

“To protect systems from ransomware attacks, we recommend that both individual users and organizations implement best practices such as applying data protection, backup, and recovery measures to secure data from possible encryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely manner can also minimize the damage dealt by ransomware that abuse exploits.”

IOCs

Trend Micro researchers provided the following indicators of compromise (IOCs):

Indicator	Type	Notes (Version)
08f8ae7f25949a742c7896cb76e37fb88c6a7a32398693ec6c2b3d9b488114be	SHA256	1.1
9c16211296f88e12538792124b62eb00830d0961e9ab24b825edb61bda8f564f	SHA256	1.13
e67d3682910cf1e7ece356860179ada8e847637a86c1e5f6898c48c956f04590	SHA256	1.14
c634378691a675acbf57e611b220e676eb19aa190f617c41a56f43ac48ae14c7	SHA256	3
c71ce482cf50d59c92cfb1eae560711d47600541b2835182d6e46e0de302ca6c	SHA256	3
7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99	SHA256	3.3
a1eeeeae0eb365ff9a00717846c4806785d55ed20f3f5cbf71cf6710d7913c51	SHA256	3.3
b0c75e92e1fe98715f90b29475de998d0c8c50ca80ce1c141fc09d10a7b8e7ee	SHA256	3.3
1dea642abe3e27fd91c3db4e0293fb1f7510e14aed73e4ea36bf7299fd8e6506	SHA256	3.4
4a6f8bf2b989fa60daa6c720b2d388651dd8e4c60d0be04aaed4de0c3c064c8f	SHA256	3.4
b68f469ed8d9deea15af325efc1a56ca8cb5c2b42f2423837a51160456ce0db5	SHA256	3.4
bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c	SHA256	3.4
bf6fa9b06115a8a4ff3982427ddc12215bd1a3d759ac84895b5fb66eaa568bff	SHA256	3.4
ed6cf30ee11b169a65c2a27c4178c5a07ff3515daa339033bf83041faa6f49c1	SHA256	3.4
480fb2f6bcb1f394dc171ecbce88b9fa64df1491ec65859ee108f2e787b26e03	SHA256	3.7
30f2fe10229863c57d9aab97ec8b7a157ad3ff9ab0b2110bbb4859694b56923f	SHA256	3.9
2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea	SHA256	4
136d05b5132adafc4c7616cd6902700de59f3f326c6931eb6b2f3b1f458c7457	SHA256	4.2
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e	SHA256

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

BlackCat/ALPHV Claims Responsibility for Change Healthcare Ransom

Executive Summary The BlackCat/ALPHV ransomware gang has officially claimed responsibility for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which led to an ongoing outage