Mimic: The ransomware exploiting Windows search

by Black Hat Middle East and Africa
on
Mimic: The ransomware exploiting Windows search

New ransomware variants are emerging all the time. But one particular ransomware family, known as Mimic, has caught the attention of researchers at Fortra recently – because it exploits the API of a legitimate Windows search tool, called ‘Everything’ by Voidtools. It uses Everything to rapidly locate files for encryption. 

What is Mimic?

Mimic was first identified in action in 2022, in ransomware attacks that encrypt victim files and demand a payment (in the form of cryptocurrency) in exchange for the decryption key. 

Some Mimic variants also steal data – exfiltrating from a victim’s computer before encryption. This stolen data then serves as additional leverage in extortion, as the victim risks their information being released or sold if they don’t pay the ransom. 

Mimic is an evolution of the Conti ransomware, reusing leaked Conti code – Graham Cluley detailed that leak here

You don’t have to use the Everything app to be at risk from Mimic

Users who think Mimic won’t affect them because they don’t use Everything, be warned: the ransomware doesn’t rely on users already having installed the search app. Instead, Mimic is delivered with Everything as part of the package, and installs the app as part of its payload.

With no particular vulnerability in the Everything app itself, Voidtools (the search tool’s creator) can’t do much to mitigate this form of attack. The ransomware group has simply chosen Everything as a useful tool to abuse in order to locate and encrypt files quickly. 

Users who do have Everything on their computers, or a similar file search tool, can use it to search for the extension: ‘.QUIETPLACE’. Files that have been encrypted by Mimic are given this extension, so if you find it on your system, you’re probably under attack. By the time you search for that extension though, you may have already found the ransom note demanding cryptocurrency in exchange for the decryption key. 

Is Mimic evolving? 

Yes – Mimic’s evolution is far from over. 

A new variant called Elpaco has recently been found, which involves brute-force entry into a system followed by the escalation of privileges. 

Mimic is just one of many ransomware families emerging and evolving in spite of crackdowns on ransomware groups in some regions of the world. The financial gain of ransomware continues to outweigh the risks that cybercriminals face – so the landscape will continue to expand and change at speed. 

Read more: Discover why ransomware-as-a-service (RaaS) is on the rise.

Join us at Black Hat MEA 2025 to share your perspective and meet potential partners – and shape the future together. 

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles