Cybersecurity researchers uncovered a new strain of ransomware named Mimic. Mimic uses Everything API, a file search tool for Windows, to search for files to encrypt.

Some of the code in Mimic is similar to that found in Conti, whose source code was leaked to a Ukrainian researcher in March 2022.

As a sophisticated malware, Mimic can eliminate shadow copies, shut down various applications and services, and identify encrypted files using Everything32[.]dll functions.

Mimic Ransomware Components

An initial stage of a Mimic ransomware attack involves the victim receiving an executable. On the target system, the executable extracts four files:

  • Main payload;
  • Files related to ancillary services;
  • Tools to disable Windows Defender.

mimic ransomware abuses windows search


Using multiple processor threads to encrypt data faster, Mimic is a highly adaptable strain of ransomware that targets specific files via command-line arguments.

Below are the components that Mimic uses:

  • 7za[.]exe: Legitimate 7zip file that is used to extract the payload;
  • Everything[.]exe: Legitimate Everything application;
  • Everything32[.]dll: Legitimate Everything application;
  • Password-protected archive containing malicious payloads: Everything64[.]dll.

What Is Mimic Capable of?

The new ransomware family possesses several different capabilities seen in modern ransomware strains, such as:

  • Collecting system information;
  • Creating persistence via the RUN key
  • Bypassing User Account Control (UAC)
  • Disabling Windows Defender;
  • Disabling Windows telemetry;
  • Activating anti-shutdown measures;
  • Activating anti-kill measures;
  • Unmounting Virtual Drives;
  • Terminating processes and services;
  • Disabling sleep mode and shutdown of the system;
  • Removing indicators;
  • Inhibiting System Recovery.

Mimic ransomware shuts down processes and services to gain access to vital information to remove security barriers.

By exploiting the ‘Everything32[.], dll’ file dropped during the initial infection, mimic malware scans the infected system for specific file names and types.

Everything API allows Mimic to identify files suitable for encryption without risking locking system files that could make the system unbootable.

mimic ransomware abuses windows search


Using Mimic’s algorithm, all files are meticulously scanned, identifying those that can be encrypted while bypassing any system files that might cause the system to fail.

Below is the Mimic ransomware configuration:

mimic ransomware abuses windows search


The file extension of encrypted files is “.QUIETPLACE”. 

As part of the ransom note, the perpetrator demands Bitcoin payment for the safe return of the locked data, along with instructions on how to proceed.


Although Mimic, a novel variant, has yet to be evaluated thoroughly in terms of its actions, it is evident from the use of Conti builder and Everything API that the creators have a high level of software development expertise and a solid understanding of their objectives by using the Conti builder and Everything API.

How Can Heimdal Help?

To combat ransomware, you can use the exceptional integrated cybersecurity suite, which includes the Ransomware Encryption Protection module, which is universally compatible with any antivirus solution and is entirely signature-free, ensuring superior detection and remediation of any ransomware, whether fileless or data-based (including the most recent ones like LockFile).

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.  

What Is the Main Vector of Ransomware Attacks? A Definitive Guide

How Does Ransomware Spread? Here’s What You Need to Know

These Free Ransomware Decryption Tools Are Your Key to Freedom [Updated 2023]

What Is Targeted Ransomware and How Does It Work

How to Mitigate Ransomware?

How to Prevent Ransomware Attacks

Ransomware Explained. What It Is and How It Works

Leave a Reply

Your email address will not be published. Required fields are marked *