Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Mimic arrives as an executable that drops multiple binaries and a password-protected archive (disguised as Everything64.dll) which when extracted, contains the ransomware payload. It also includes tools that are used for turning off Windows defender and legitimate sdel binaries.
Its encrypts all data files, as well as registry keys and several other system files to make recovery more difficult.
"Once Mimic has infected a machine, the only way to bypass its encryption is by decrypting the data using a 'cracked' version of Everything64.dll," Kaspersky Lab said in an official blog post.
Mimic Ransomware uses AES-256 to encrypt data and RSA-2048 encryption key for signing (which can be cracked with $2,500 worth of computing power). It also adds 2 additional layers of encryption with AES-256 and RSA-2048, making it more resilient and difficult to break thief into decryption table.
The ransom note is in English and once you open it, pops up a pop-up that displays the following message:
"This is a Mimic update! This program has detected new files and added encryption to them. In order to decrypt them, you'll have to pay a ransom of 500 Bitcoins, equivalent to $2,500."
Source: New Mimic Ransomware Abuses Everything APIs for its Encryption Process - AlienVault - Open Threat Exchange