FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

[harryray2]

https://www.bleepingcomputer.com/news/s ... arch-tool/

[horst.epp]

There s nothing special on this and no way to prevent it from Everything.
Users have to follow the known rules to prevent their system from being hacked or abused.

[NotNull]

Those ransomware dudes are getting cleverer by the day ...

Luckily, we have Everything, so we can search for

ext:QUIETPLACE

to see if we are affected/infected.

[void]

https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html

[therube]

Trend doesn't say, but I wonder if "sdel.exe" isn't (Sysinternals) SDelete.

[NotNull]

From the bleepingcomputer forums:

7za.exe (no signature)
DC.exe (closes Defender, sordum.org signature)
Everything.exe (voidtools signature)
Everything.ini
Everything2.ini
Everything32.dll (voidtools signature)
Everything64.dll (no signature)
sdel.exe (appears to be a renamed Sysinternals Secure File delete / sdelete with Microsoft Signature)
sdel64.exe (appears to be a renamed Sysinternals Secure File delete / sdelete with Microsoft Signature)
session.tmp (I think this is personalized)
systemi64.exe (malware)

[therube]

Odd then that Trend didn't specifically mention that (as it should be easy to determine).

(Any recent Sysinternals program, on first invocation, would give a UAC prompt [I think it was a UAC prompt - at least some prompt] - older, unsigned versions did not. And of course, the malware could override UAC too.)

[NotNull]

And of course, the malware could override UAC too.)

It does. From the original article:

The new ransomware family features several capabilities seen in modern strains, such as:
Collecting system information
Creating persistence via the RUN key
Bypassing User Account Control (UAC)
[...]

BTW:
UAC is not meant as a security measure. It's more to force developers to write 'good' software.
Bypassing UAC is not very hard. I even wrote my own script to do so (long ago)
(Was quite proud of myself, only to find out after a websearch that there were already 17 different methods available. Mine was even among them ...)

[raccoon]

Does anyone know where we can find a specimen of their everything.ini and everything2.ini file contents? I would like to see what files they are seeking with what filters and keywords.

[NotNull]

The search is for databases (including xls and doc files) thereby excluding regular Windows and browser operation (to go undetected as long as possible, I guess)
The search feels like a ransomware-kit that was bought off-the-shelf and after that modified to add entries for this specific malware (different styles)

Anyway, the search:

file:<ext:;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt> file:<!endwith:QUIETPLACE> <!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\Win7x32\AppData\Local\{ECD7344E-DB25-8B38-009E-175BDB26EC3D}" !"NTUSER.DAT"> wholefilename:<!"restore-my-files.txt" !"boot.ini" !"bootfont.bin" !"desktop.ini" !"iconcache.db" !"io.sys" !"ntdetect.com" !"ntldr" !"ntuser.dat" !"ntuser.ini" !"thumbs.db" !"session.tmp" !"Decrypt_me.txt"> <!size:0>