{"id":50278,"date":"2023-01-26T00:00:00","date_gmt":"2023-01-26T00:00:00","guid":{"rendered":"urn:uuid:8e86ec96-9f60-b687-dba3-db236bfa5518"},"modified":"2023-01-26T00:00:00","modified_gmt":"2023-01-26T00:00:00","slug":"new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/","title":{"rendered":"New Mimic Ransomware Abuses Everything APIs for its Encryption Process"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/mimic-ransomware-641.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. \"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"endpoints,ransomware,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-01-26\"> <meta property=\"article:tag\" content=\"ransomware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/a\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\"> <title>New Mimic Ransomware Abuses Everything APIs for its Encryption Process<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/a\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\"><br \/>\n<meta property=\"og:title\" content=\"New Mimic Ransomware Abuses Everything APIs for its Encryption Process\"><br \/>\n<meta property=\"og:description\" content=\"Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/mimic-ransomware-641.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New Mimic Ransomware Abuses Everything APIs for its Encryption Process\"><br \/>\n<meta name=\"twitter:description\" content=\"Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/mimic-ransomware-641.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.033360995851\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"2019380294\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.287909836066\">\n<div class=\"article-details\" role=\"heading\" readability=\"42.206967213115\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. <\/p>\n<p class=\"article-details__author-by\">By: Nathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, Nathaniel Gregory Ragasa <time class=\"article-details__date\">January 26, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. This ransomware (which we named Mimic based on a string we found in its binaries), was first observed in the wild in June 2022 and targets Russian and English-speaking users. It is equipped with multiple capabilities such as deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.&nbsp;<\/p>\n<p>In this blog entry, we will take a closer look at the Mimic ransomware, its components and functions, and its connection to the Conti builder that was leaked in early 2022.<\/p>\n<p><span class=\"body-subhead-title\">Arrival and components<\/span><\/p>\n<p>Mimic arrives as an executable that drops multiple binaries and a password-protected archive (disguised as Everything64.dll) which when extracted, contains the ransomware payload. It also includes tools that are used for turning off Windows defender and legitimate sdel binaries.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c23b00\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-1.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-1.jpg\" alt=\"Figure 1. The Mimic ransomware components\"> <\/a><figcaption>Figure 1. The Mimic ransomware components<\/figcaption><\/figure>\n<\/p><\/div>\n<div readability=\"5.9037994364007\">\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"4\">\n<tr>\n<td><b>Filename<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>7za.exe<\/b><\/td>\n<td><b>Legitimate 7zip file that is used to extract the payload<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Everything.exe<\/b><\/td>\n<td><b>Legitimate Everything application<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Everything32.dll<\/b><\/td>\n<td><b>Legitimate Everything application<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Everything64.dll<\/b><\/td>\n<td><b>Password protected archive that contains the malicious payloads<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>Table 1. Details of the Mimic ransomware components<\/h5>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>When executed, it will first drop its components to the %Temp%\/7zipSfx folder. It will then extract the password protected Everything64.dll to the same directory using the dropped 7za.exe via the following command:<\/p>\n<p><span class=\"blockquote\">%Temp%\\7ZipSfx.000\\7za.exe&#8221; x -y -p20475326413135730160 Everything64.dll<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"18d224\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-2.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-2.jpg\" alt=\"Figure 2. Mimic ransomware\u2019s dropped components \"> <\/a><figcaption>Figure 2. Mimic ransomware\u2019s dropped components <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>It will also drop the session key file session.tmp to the same directory, which will be used for continuing the encryption in case the process is interrupted.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0a5d69\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-3.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-3.jpg\" alt=\"Figure 3. The content of session.tmp\"> <\/a><figcaption>Figure 3. The content of session.tmp<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>It will then copy the dropped files to \u201c%LocalAppData%\\{Random GUID}\\\u201d, after which the ransomware will be renamed to bestplacetolive.exe and the original files deleted from the %Temp% directory.<\/p>\n<p>Based on our analysis, Mimic supports other command line arguments as shown in table 2.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"7\">\n<tr>\n<td><b>Cmdline option<\/b><\/td>\n<td><b>Acceptable values<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><b>-dir&nbsp;<\/b><\/td>\n<td><b>File path to be encrypted<\/b><\/td>\n<td><b>Directory for encryption&nbsp;<\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td><b>-e<\/b><\/td>\n<td><b>all<\/p>\n<p>local<\/p>\n<p>net<\/p>\n<p>watch<\/p>\n<p>ul1<\/p>\n<p>ul2<br \/>&nbsp;<\/p>\n<p><\/b><\/td>\n<td readability=\"5.5\"><b readability=\"5\">Encrypt all (Default)<\/p>\n<p>Encrypt Local files&nbsp;<\/p>\n<p>Encrypt files on Network shares<\/p>\n<p>ul:unlocker&nbsp;<br \/>Creates a thread with interprocess communication and tries<br \/>to unlock certain memory addresses from another process&nbsp;<br \/>&nbsp;<\/p>\n<p><\/b><\/td>\n<\/tr>\n<tr readability=\"3\">\n<td><b>-prot<\/b><\/td>\n<td><b>&nbsp;<\/b><\/td>\n<td width=\"208\" valign=\"top\" readability=\"5\">\n<p><b>Protects the ransomware from being killed<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>-pid<\/b><\/td>\n<td><b>&lt;integer&gt;<\/b><\/td>\n<td><b>The process identifier (PID) of the previously-running ransomware.<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 2. Arguments accepted by Mimic ransomware<\/h5>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Mimic ransomware consists of multiple threads that employ the CreateThread function for faster encryption and render analysis more challenging for security researchers.<\/p>\n<p>When executed, it will first register a hotkey (Ctrl + F1, using the RegisterHotKey API) that displays the status logs being performed by the ransomware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"564e53\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-4.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-4.jpg\" alt=\"Figure 4. The function used for registering the hotkey\"> <\/a><figcaption>Figure 4. The function used for registering the hotkey<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"2db3f9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-5.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-5.jpg\" alt=\"Figure 5. Sample logs that are shown when Ctrl +F1 is pressed\"> <\/a><figcaption>Figure 5. Sample logs that are shown when Ctrl +F1 is pressed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The ransomware\u2019s config is located at its overlay and is decrypted using the NOT Operation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"668f6b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-6.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-6.jpg\" alt=\"Figure 6. Decryption function for the config\"> <\/a><figcaption>Figure 6. Decryption function for the config<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"35a1c4\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-7.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-7.jpg\" alt=\"Figure 7. Snippet from a decrypted config\"> <\/a><figcaption>Figure 7. Snippet from a decrypted config<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Figure 8 shows a more thorough look at the config and its values.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b5ab73\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-table-3.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-table-3.jpg\" alt=\"Figure 8. Mimic ransomware config details\"> <\/a><figcaption>Figure 8. Mimic ransomware config details<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div class=\"responsive-table-wrap\" readability=\"14\">\n<p>Mimic ransomware possesses a plethora of capabilities, including the following:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Collecting system information<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Creating persistence via the RUN key<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Bypassing User Account Control (UAC)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Disabling Windows Defender<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Disabling Windows telemetry<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Activating anti-shutdown measures<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Activating anti-kill measures<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Unmounting Virtual Drives<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Terminating processes and services<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Disabling sleep mode and shutdown of the system<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Removing indicators<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Inhibiting System Recovery<br \/>&nbsp;<\/span><\/li>\n<\/ul>\n<p>Mimic uses <i>Everything32.dll<\/i>, a legitimate Windows filename search engine that can return real time results for queries, in its routine. It abuses the tool by querying certain file extensions and filenames using Everything\u2019s APIs to retrieve the file\u2019s path for encryption.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"cb28d6\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-8.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-8.jpg\" alt=\"Figure 9. Overview of the function that utilizes Everything API\"> <\/a><figcaption>Figure 9. Overview of the function that utilizes Everything API<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>It uses the Everything_SetSearchW function to search for files to be encrypted or avoided using the following search format:<\/p>\n<p><i><span class=\"blockquote\">file:&lt;ext:{list of extension}&gt;file:&lt;!endwith:{list of files\/directory to avoid}&gt;wholefilename&lt;!{list of files to avoid}&gt;<\/span><\/i><\/p>\n<p>The following query is used by Mimic to search for files to be encrypted or avoided:<\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"2.5\">\n<tr readability=\"7.5\">\n<td width=\"623\" valign=\"top\" readability=\"8\">\n<p><span class=\"blockquote\">file:&lt;ext:;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt&gt; file:&lt;!endwith:QUIETPLACE&gt; &lt;!&#8221;\\steamapps\\&#8221; !&#8221;\\Cache\\&#8221; !&#8221;\\Boot\\&#8221; !&#8221;\\Chrome\\&#8221; !&#8221;\\Firefox\\&#8221; !&#8221;\\Mozilla\\&#8221; !&#8221;\\Mozilla Firefox\\&#8221; !&#8221;\\MicrosoftEdge\\&#8221; !&#8221;\\Internet Explorer\\&#8221; !&#8221;\\Tor Browser\\&#8221; !&#8221;\\Opera\\&#8221; !&#8221;\\Opera Software\\&#8221; !&#8221;\\Common Files\\&#8221; !&#8221;\\Config.Msi\\&#8221; !&#8221;\\Intel\\&#8221; !&#8221;\\Microsoft\\&#8221; !&#8221;\\Microsoft Shared\\&#8221; !&#8221;\\Microsoft.NET\\&#8221; !&#8221;\\MSBuild\\&#8221; !&#8221;\\MSOCache\\&#8221; !&#8221;\\Packages\\&#8221; !&#8221;\\PerfLogs\\&#8221; !&#8221;\\ProgramData\\&#8221; !&#8221;\\System Volume Information\\&#8221; !&#8221;\\tmp\\&#8221; !&#8221;\\Temp\\&#8221; !&#8221;\\USOShared\\&#8221; !&#8221;\\Windows\\&#8221; !&#8221;\\Windows Defender\\&#8221; !&#8221;\\Windows Journal\\&#8221; !&#8221;\\Windows NT\\&#8221; !&#8221;\\Windows Photo Viewer\\&#8221; !&#8221;\\Windows Security\\&#8221; !&#8221;\\Windows.old\\&#8221; !&#8221;\\WindowsApps\\&#8221; !&#8221;\\WindowsPowerShell\\&#8221; !&#8221;\\WINNT\\&#8221; !&#8221;\\$WINDOWS.~BT\\&#8221; !&#8221;\\$Windows.~WS\\&#8221; !&#8221;:\\Users\\Public\\&#8221; !&#8221;:\\Users\\Default\\&#8221; !&#8221;C:\\Users\\Win7x32\\AppData\\Local\\{ECD7344E-DB25-8B38-009E-175BDB26EC3D}&#8221; !&#8221;NTUSER.DAT&#8221;&gt; wholefilename:&lt;!&#8221;restore-my-files.txt&#8221; !&#8221;boot.ini&#8221; !&#8221;bootfont.bin&#8221; !&#8221;desktop.ini&#8221; !&#8221;iconcache.db&#8221; !&#8221;io.sys&#8221; !&#8221;ntdetect.com&#8221; !&#8221;ntldr&#8221; !&#8221;ntuser.dat&#8221; !&#8221;ntuser.ini&#8221; !&#8221;thumbs.db&#8221; !&#8221;session.tmp&#8221; !&#8221;Decrypt_me.txt&#8221;&gt; &lt;!size:0&gt;<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"8c6286\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-9.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-9.jpg\" alt=\"Figure 10. The Everything_SetSearchW API used by Mimic ransomware\"> <\/a><figcaption>Figure 10. The Everything_SetSearchW API used by Mimic ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>It then appends the .QUIETPLACE file extension to the encrypted files and, finally, displays the ransom note.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"9fef9f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-9.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-10.jpg\" alt=\"Figure 11. Files that were encrypted by the Mimic ransomware\"> <\/a><figcaption>Figure 11. Files that were encrypted by the Mimic ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"99df4f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-11.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-11.jpg\" alt=\"Figure 12. The Mimic ransom note\"> <\/a><figcaption>Figure 12. The Mimic ransom note<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.689189189189\">\n<div readability=\"11.351351351351\">\n<p>From our analysis, some parts of the code seemed to be based on, and share several similarities with the <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-conti\">Conti ransomware<\/a> builder that was leaked in March 2022. For example, the enumeration of the encryption modes shares the same integer for both Mimic and Conti.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a1ea11\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-12a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-12a.jpg\" alt=\"Figure 12. Similarities between Mimic (top) and the leaked Conti builder (bottom)\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a2977f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-12b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-12b.jpg\" alt=\"Figure 12. Similarities between Mimic (top) and the leaked Conti builder (bottom)\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"97f9d3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-12c.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-12c.jpg\" alt=\"Figure 13. Similarities between Mimic (top) and the leaked Conti builder (bottom)\"> <\/a><figcaption>Figure 13. Similarities between Mimic (top) and the leaked Conti builder (bottom)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The code related to argument <b>net<\/b> is also based on Conti. It will use the GetIpNetTable function to read the Address Resolution Protocol (ARP) cache and check if IP addresses contain \u201c172.\u201d, \u201c192.168\u201d, \u201c10.\u201d, or \u201c169.\u201d Mimic added a filter to exclude IP addresses that contain \u201c169.254\u201d, which is the IP range of Automatic Private IP Addressing (APIPA).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d0a9fd\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-13a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-13a.jpg\" alt=\"Figure 13. Comparison of the Mimic (top) and the leaked Conti builder (bottom) \u201cnet\u201d argument \"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"7a199e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-13b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-13b.jpg\" alt=\"Figure 14. Comparison of the Mimic (top) and the leaked Conti builder (bottom) \u201cnet\u201d argument \"> <\/a><figcaption>Figure 14. Comparison of the Mimic (top) and the leaked Conti builder (bottom) \u201cnet\u201d argument <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Mimic also uses the Conti code in Windows Share Enumeration, where it employs the NetShareEnum function to enumerate all shares on the gathered IP addresses.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e566c1\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-14a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-14a.jpg\" alt=\"Figure 14. Comparison of the Mimic (top) and the leaked Conti (bottom) Share Enumeration function \"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b901cc\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-14b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-14b.jpg\" alt=\"Figure 15. Comparison of the Mimic (top) and the leaked Conti (bottom) Share Enumeration function \"> <\/a><figcaption>Figure 15. Comparison of the Mimic (top) and the leaked Conti (bottom) Share Enumeration function <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Finally, Mimic\u2019s port scanning is also based on the Conti builder.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c1c1cd\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-15a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-15a.jpg\" alt=\"Figure 15. Comparison of the Mimic (top) and leaked Conti builder (bottom) port scanning function \"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"04467e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-15b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/mimic-ransomware-15b.jpg\" alt=\"Figure 16. Comparison of the Mimic (top) and leaked Conti builder (bottom) port scanning function \"> <\/a><figcaption>Figure 16. Comparison of the Mimic (top) and leaked Conti builder (bottom) port scanning function <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.895833333333\">\n<div readability=\"30.671875\">\n<p>More information about the behavior of Mimic ransomware can be found in <a href=\"https:\/\/www.trendmicro.com\/vinfo\/au\/threat-encyclopedia\/malware\/Ransom.Win32.MIMIC.SMZTJJ-A\/\">this report<\/a>.<\/p>\n<p>Mimic ransomware, with its multiple bundled capabilities, seems to implement a new approach to speeding up its routine by combining multiple running threads and abusing Everything\u2019s APIs for its encryption (minimizin<i>g<\/i> resource usage, therefore resulting in more efficient execution). &nbsp;Furthermore, the threat actor behind Mimic seems to be resourceful and technically adept, using a leaked ransomware builder to capitalize on its various features, and even improve on it for more effective attacks.<\/p>\n<p>To protect systems from ransomware attacks, we recommend that both individual users and organizations implement best practices such as applying data protection, backup, and recovery measures to secure data from possible encryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely manner can also minimize the damage dealt by ransomware that abuse exploits.<\/p>\n<p>A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). The right security solutions can also detect malicious components and suspicious behavior to protect enterprises.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro Vision One\u2122<\/a>&nbsp;provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\">Trend Micro Cloud One\u2122 Workload Security<\/a>&nbsp;protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/email-and-collaboration\/email-inspector.html\">Trend Micro\u2122 Deep Discovery\u2122 Email Inspector<\/a>&nbsp;employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">Trend Micro Apex One\u2122<\/a>&nbsp;offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.<br \/>&nbsp;<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"38\">\n<tr>\n<td>\n<p><b>SHA-256<\/b><\/p>\n<\/td>\n<td width=\"74\">\n<p><b>Version<\/b><\/p>\n<\/td>\n<td width=\"241\">\n<p><b>Detection name<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>08f8ae7f25949a742c7896cb76e37fb88c6a7a32398693ec6c2b3d9b488114be<\/p>\n<\/td>\n<td width=\"74\">\n<p>1.1<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>9c16211296f88e12538792124b62eb00830d0961e9ab24b825edb61bda8f564f<\/p>\n<\/td>\n<td width=\"74\">\n<p>1.13<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>e67d3682910cf1e7ece356860179ada8e847637a86c1e5f6898c48c956f04590<\/p>\n<\/td>\n<td width=\"74\">\n<p>1.14<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.THLBGBB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>c634378691a675acbf57e611b220e676eb19aa190f617c41a56f43ac48ae14c7<\/p>\n<\/td>\n<td width=\"74\">\n<p>3<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.THLBGBB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>c71ce482cf50d59c92cfb1eae560711d47600541b2835182d6e46e0de302ca6c<\/p>\n<\/td>\n<td width=\"74\">\n<p>3<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.THLBGBB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.3<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.THHAABB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>a1eeeeae0eb365ff9a00717846c4806785d55ed20f3f5cbf71cf6710d7913c51<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.3<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>b0c75e92e1fe98715f90b29475de998d0c8c50ca80ce1c141fc09d10a7b8e7ee<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.3<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>1dea642abe3e27fd91c3db4e0293fb1f7510e14aed73e4ea36bf7299fd8e6506<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.4<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>4a6f8bf2b989fa60daa6c720b2d388651dd8e4c60d0be04aaed4de0c3c064c8f<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.4<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.THLBGBB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>b68f469ed8d9deea15af325efc1a56ca8cb5c2b42f2423837a51160456ce0db5<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.4<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.4<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>bf6fa9b06115a8a4ff3982427ddc12215bd1a3d759ac84895b5fb66eaa568bff<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.4<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>ed6cf30ee11b169a65c2a27c4178c5a07ff3515daa339033bf83041faa6f49c1<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.4<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.THLBGBB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>480fb2f6bcb1f394dc171ecbce88b9fa64df1491ec65859ee108f2e787b26e03<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.7<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>30f2fe10229863c57d9aab97ec8b7a157ad3ff9ab0b2110bbb4859694b56923f<\/p>\n<\/td>\n<td width=\"74\">\n<p>3.9<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea<\/p>\n<\/td>\n<td width=\"74\">\n<p>4<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>136d05b5132adafc4c7616cd6902700de59f3f326c6931eb6b2f3b1f458c7457<\/p>\n<\/td>\n<td width=\"74\">\n<p>4.2<\/p>\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>Ransom.Win32.MIMIC.SMZTJJ-A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"309\" valign=\"bottom\" readability=\"5\">\n<p>c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e<\/p>\n<\/td>\n<td width=\"74\">\n<\/td>\n<td width=\"241\" readability=\"5\">\n<p>HackTool.Win32.DEFENDERCONTROL.Z<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/a\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":50279,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-50278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>New Mimic Ransomware Abuses Everything APIs for its Encryption Process 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Mimic Ransomware Abuses Everything APIs for its Encryption Process 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-26T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/mimic-ransomware-641.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"New Mimic Ransomware Abuses Everything APIs for its Encryption Process\",\"datePublished\":\"2023-01-26T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/\"},\"wordCount\":1849,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/\",\"name\":\"New Mimic Ransomware Abuses Everything APIs for its Encryption Process 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg\",\"datePublished\":\"2023-01-26T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg\",\"width\":1428,\"height\":1049},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Mimic Ransomware Abuses Everything APIs for its Encryption Process\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Mimic Ransomware Abuses Everything APIs for its Encryption Process 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/","og_locale":"en_US","og_type":"article","og_title":"New Mimic Ransomware Abuses Everything APIs for its Encryption Process 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-01-26T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/mimic-ransomware-641.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"New Mimic Ransomware Abuses Everything APIs for its Encryption Process","datePublished":"2023-01-26T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/"},"wordCount":1849,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/","url":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/","name":"New Mimic Ransomware Abuses Everything APIs for its Encryption Process 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg","datePublished":"2023-01-26T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process.jpg","width":1428,"height":1049},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"New Mimic Ransomware Abuses Everything APIs for its Encryption Process"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50278"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50278\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50279"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}