Mimicry Ransomware

Posted: September 12, 2018

The Mimicry Ransomware is a variant of Hidden Tear that creates symptoms that imitate those of the Scarab Ransomware family. Victims should treat this file-locking Trojan as being distinct from the Scarab Ransomware and use data recovery and infection-prevention approaches that are in-line with countering HT. Whenever uninstalling the Mimicry Ransomware is required, you should use a professional anti-malware product, although unlocking the files is beyond the scope of general security and AV software.

This False Insect is Less than It's Pretending to Be

File-locking Trojans don't always wear hats or name tags that correspond with the ways that they're attacking your computer. The Mimicry Ransomware is, possibly, the most exemplary demonstration of how criminals can trick their victims into looking for the wrong solutions subtly. This member of the Hidden Tear family, which is close in relationship to threats like the ShutUpAndDance Ransomware, the Assembly Ransomware, the Krypton Ransomware, or the EyLamo Ransomware, is pretending that it's a member of the totally-unrelated Scarab Ransomware group.

The choice of the Scarab Ransomware is, most likely, thanks to that threat's prominence in the Ransomware-as-a-Service industry, which passes out small variants of file-locker Trojans to other criminals, who add their custom cosmetics and contact information to the payloads. The Mimicry Ransomware imitates the Scarab Ransomware by tagging hostage media with the '.good' extension that malware experts could verify as being in use recently, along with delivering a plagiarized ransom note.

However, the Mimicry Ransomware uses the encryption routine of Hidden Tear and has no technical details or features in common with the Russian-influenced, RaaS software. Infections will block various media files, such as videos or documents, by encrypting them using an AES algorithm. The ransoming instructions tell the victim to contact the threat actor for a decryptor for saving the content, although malware researchers always recommend against paying extortionists.

Piercing All the Guises of Another, Free File-Locker Trojan

Besides it's Scarab Ransomware attributes, the Mimicry Ransomware also includes some characteristics that reference the PGPSnippet Ransomware (which uses a much more inclusive method of blocking files and attacks more than 'only' media) and the Crypt0L0cker Ransomware. All of these dead-end identifiers could cause a user to test the wrong decryption program with their files easily and induce permanent data damage. For this reason, malware experts always recommend that victims create a spare copy of the locked content for decrypting purposes instead of taking another gamble with the only copy of any files.

While a real variant of the Scarab Ransomware is most likely of using brute-force attacks against corporate-held networks, the Mimicry Ransomware's distribution model and its infection strategies are unidentifiable, thus far. This threat is in the wild, and multiple victims are confirmable, however. Users should keep backups of their work, test free decryption applications for Hidden Tear, and, as always, protect their PCs with anti-malware software meant for deleting the Mimicry Ransomware and similar threats.

Every symptom that a file-locking Trojan gives to a victim is deliberate. With ones like the Mimicry Ransomware, a 'clue' is just a false trail leading the PC's user in the wrong direction for saving their hard drive's data.