Ransomware Uses Scan Tool to Lock Files in Windows

Ransomware Uses Scan Tool to Lock Files in Windows

A free file search tool in Windows has become an ally of ransomware attack, making it easier to search for files to be locked by malware. Mimic targets both English and Russian-speaking users and uses the Everything app to locate data to hijack, while ensuring that basic elements of the operating system are not corrupted in the process.

  • Windows malware disguises itself as Cortana to infect PCs
  • 80% of ransomware attacks are due to misconfiguration

Freeware developed by Voidtools has existed for years and is considered an alternative to Windows’ own search, delivering results quickly and consuming few resources. This is probably what led to it being integrated into the Mimic ransomware, being delivered along with contaminations that arrive by email in probable phishing campaigns that date back to 2022.

According to cybersecurity firm Trend Micro, Everything’s skills aren’t the only ones borrowed by the gang. Mimic’s code bears many similarities to Conti, another renowned ransomware whose programming was leaked in March of last year; the idea is that its developers took advantage of the malware to create their own, although those responsible or their affiliation have not been revealed.

When running on a PC, Mimic disables security systems and starts scanning files. It doesn’t mind hiding what’s going on, going so far as to use all of the processor’s cores to speed up the process of discovering and locking data. In addition, the pest also applies protections that make it difficult to stop its activities, while it can terminate other running software and collect system information to use in the attack.

At the end of the scam, Windows continues to work and the PC can be restarted, but with all its data locked. The ransom note also indicates that victims can continue to use the machine in a limited way, to download tools such as ICQ or Skype to try to contact the bandits, sending files for decryption tests and negotiating a payment in cryptocurrencies.

According to Trend Micro, Mimic has not yet had extensive recorded activity, but the characteristics of its operation demonstrate the origin in a gang that knows what it is doing. Therefore, the recommendation is to pay attention to the usual vectors of contamination, such as fraudulent emails or direct messages on behalf of commercial partners, customers or bringing offers, as well as downloading pirated software or software outside the official websites of its developers.

Source: TrendMicro