New ransomware strain exploits Windows search tool Everything

[CyberTech]

Content source

https://www.neowin.net/news/new-ransomware-strain-exploits-windows-search-tool-everything/

Security researchers at Trend Micro have discovered a new ransomware strain that abuses the application programming interfaces of a third-party Windows search engine tool called Everything.

The ransomware, which Trend Micro named Mimic, targets Russian and English-speaking users. It has the following capabilities:

• Collecting system information
• Bypassing User Account Control (UAC)
• Disabling Windows Defender
• Disabling Windows telemetry
• Activating anti-shutdown measures
• Activating anti-kill measures
• Unmounting virtual drives
• Terminating processes and services
• Disabling sleep mode and shutdown of the system
• Removing indicators
• Preventing system recovery

For more information

New ransomware strain exploits Windows search tool Everything

A ransomware strain that exploits a legitimate Windows search tool has recently been discovered by security researchers. The new variant can disable Windows Defender and even prevent shutdowns.

www.neowin.net

 

[upnorth]

One of the search file tools the Malware Hub recommends in a case of a ransomware attack, helps find all encrypted files. Using the portable version is recommended.

voidtools

www.voidtools.com

Ultrasearch is another one that worked very well in ransomware tests in the Hub. Portable version.

File Search Tool UltraSearch

Are you looking for something? UltraSearch finds your files and documents - even as you type. Download for free!

www.jam-software.com

 

[simmerskool]

One of the search file tools the Malware Hub recommends in a case of a ransomware attack, helps find all encrypted files. Using the portable version is recommended.

voidtools

www.voidtools.com

Ultrasearch is another one that worked very well in ransomware tests in the Hub. Portable version.

File Search Tool UltraSearch

Are you looking for something? UltraSearch finds your files and documents - even as you type. Download for free!

www.jam-software.com

Thanks! you answered my question what to replace Everything with, if that needs to be done. As I understood the neowin article, you have to DL the ransomware then it uses everything files to encrypt, or help encrypt, your files. So this ransomware would have to get past your security to get to everything?, but why take that chance; however, I'm thinking the ransomware coders have read the neowin article, so they'll move on to apps you're suggesting above, or is that easier to imagine than done??

 

[blackice]

You don’t need to replace it, the ransomware brings along its own DLL of everything to extract. I don’t think having everything on your system is the vector for infection.

 

[upnorth]

I don’t think having everything on your system is the vector for infection.

Seems it was one vector as it even actively used the installed version for it's encryption phase. According to the report that is.

Mimic uses Everything32.dll, a legitimate Windows filename search engine that can return real time results for queries, in its routine. It abuses the tool by querying certain file extensions and filenames using Everything’s APIs to retrieve the file’s path for encryption.

It uses the Everything_SetSearchW function to search for files to be encrypted or avoided

implement a new approach to speeding up its routine by combining multiple running threads and abusing Everything’s APIs for its encryption (minimizing resource usage, therefore resulting in more efficient execution).

New Mimic Ransomware Abuses Everything APIs for its Encryption Process

Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.

www.trendmicro.com

 

[blackice]

Seems it was one vector as it even actively used the installed version for it's encryption phase. According to the report that is.

New Mimic Ransomware Abuses Everything APIs for its Encryption Process

Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.

www.trendmicro.com

Maybe I'm confused by this:

When executed, it will first drop its components to the %Temp%/7zipSfx folder. It will then extract the password protected Everything64.dll to the same directory

Otherwise it would only attack systems with Everything installed? It's a great tool, but I can't imagine the userbase is big enough for that to be a lucrative attack.

 

[upnorth]

Thanks! you answered my question what to replace Everything with, if that needs to be done. As I understood the neowin article, you have to DL the ransomware then it uses everything files to encrypt, or help encrypt, your files. So this ransomware would have to get past your security to get to everything?, but why take that chance; however, I'm thinking the ransomware coders have read the neowin article, so they'll move on to apps you're suggesting above, or is that easier to imagine than done??

Instead of completely replace it, try use the portable version instead, but avoid install the Everything service. That will then only drop 2 extra files, a .ini and a .db file. Create a new folder where you place these files in along with the .exe.

That attackers misuse legit installed tools or download those as a part of the infection chain is nothing new in itself, but a bit cleaver in this case with a search tool like Everything as these are very fast and effective and one reason why the Hub recommends it's testers to use it. Would they move onto for example, Ultrasearch? I don't know, but also wouldn't be surprised see it in some future report. But the main advice here is actually more about the portable option and I'll give a small example on what can happen in a ransomware case, from one of the tests in the Hub.

https://malwaretips.com/threads/cat4er-rw-signed-29-10-2022.118209/post-1009561

Spoiler

I have the Tor browser always ready and installed in my VM and in this case, it didn't helped at all because the ransomware destroyed it and forced me to download it again.

Parts of the " Tools " folder was not encrypted, so that's why I could easy start Ultrasearch, but it's also Portable so less risk of misuse.

Ultrasearch and Everything is just two 3rd party tools among many, but as we used these successful in the Hub, I do recommend them for anyone. Portable!

 

[upnorth]

Otherwise it would only attack systems with Everything installed? It's a great tool, but I can't imagine the userbase is big enough for that to be a lucrative attack.

No I was thinking the same, and I can't say for sure because that is not mentioned in the report from Trendmicro. One can guess this version is more capable and would use other means for it's encryption etc.

 

[simmerskool]

Instead of completely replace it, try use the portable version instead, but avoid install the Everything service. That will then only drop 2 extra files, a .ini and a .db file. Create a new folder where you place these files in along with the .exe.

https://malwaretips.com/threads/cat4er-rw-signed-29-10-2022.118209/post-1009561

The " Tools " folder was not encrypted for unknown reasons, so that's why I could easy start Ultrasearch, but it's also Portable so less risk of misuse.

Ultrasearch and Everything is just two 3rd party tools among many, but as we used these successful in the Hub, I do recommend them for anyone. Portable!

Before I saw your post, I went to Ultrasearch JAM website and downloaded free version, came as setup file, I did not see portable version but was not really looking, I'll go back, unless their setup file has the option to make it portable.

 

[upnorth]

Before I saw your post, I went to Ultrasearch JAM website and downloaded free version, came as setup file, I did not see portable version but was not really looking, I'll go back, unless their setup file has the option to make it portable.

They could have done that a bit better, but check again on the download page and click on the text and you should see this:

 

[Pat MacKnife]

Ultrasearch is also good.

 

[Guilhermesene]

@upnorth

Sorry for the out of context question, but just to ask, does VMWare Workstation Player work for users on SUA (Standard Account)?

Obviously, if I decide to use it I will install it using the administrative account (logged into it only) and then go back to SUA to use the system normally.

Again, I apologize for the question out of context, but it is just to take advantage of the fact that you answered a short time ago and you are probably online and also use SUA. Please don't be mad at me.

Thanks

 

[simmerskool]

@upnorth

Sorry for the out of context question, but just to ask, does VMWare Workstation Player work for users on SUA (Standard Account)?

Obviously, if I decide to use it I will install it using the administrative account (logged into it only) and then go back to SUA to use the system normally.

Again, I apologize for the question out of context, but it is just to take advantage of the fact that you answered a short time ago and you are probably online and also use SUA. Please don't be mad at me.

Thanks

I am not an expert, but VMware is running great on my win10. I am normally SUA on win10 host, open VM as admin, I have 2 monitors and vm in one monitor host in other. I have Workstation 16.2.5 not Player but I assume same ref your question. The nuance part is getting the vm settings correct or optimized for guest OS. When vm tweaked, at least on mine, the vm_win10 guest is fast smooth and stable.

 

[Guilhermesene]

Well, I'm going to stop answering here because otherwise it's going to get off topic.

@upnorth I look forward to your private message

@simmerskool thanks for your attention in replying and for sharing your experience regarding this

 

[upnorth]

Well, I'm going to stop answering here because otherwise it's going to get off topic.

Naah no worries, but a bit better thread about SUA is the one here :

Question - Do you use an Admin account or Standard User Account?

It's been about a year since a big discussion on this, but even longer since a poll has been posted. Last I checked the community had been drifting towards favoring an SUA, adoption was up in 2017 over 2016. So I'm just curious where the community is at these days? We know SUA is more secure...

malwaretips.com

 

[Guilhermesene]

@upnorth Thank you for your help

I had been through this thread and similar ones, but had not stopped to read the references cited by the various MT members.

Well, I confess that I am using SUA and I am not getting out of it. It is amazing the "greater sense of security" and that I can use my programs normally. Thank you for being a source of inspiration to change my concept of security level regarding the use of devices.

 

[simmerskool]

Ultrasearch is also good.

now running UltraSearch free portable. seems good and fast