Security researchers detected a new ransomware which belongs to the Hidden Tear family. The threat has been dubbed Mimicry ransomware, and it is appending the .good file extension to encrypted files. Researchers called the ransomware Mimicry because it uses fake signatures that belong to other ransomware families such as Scarab-Horsia and Crypt0L0cker. The ransomware note also resembles the note of Scarab, but by the looks of it, Mimicry is only mimicking other ransomware pieces without actually using their functionalities.
When the Mimicry ransomware virus infects the system, it drops two executable files – frost.exe and Shiva. Thus, the threat is also called ShivaGood ransowmare, as a combination of the Shiva executable it drops and the .good extension it adds to encrypted files. It should be noted that those names were created by security researchers and not by the ransomware operators.
|Short Description||Mimicry ransomware virus encrypts files on your PC and drops a ransom note that demands payment for the decryption of .good files.|
|Symptoms||This ransomware encrypts important files and then renames them with the extension |
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Mimicry ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Mimicry ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Mimicry Ransomware: Distribution Methods
As in most ransomware cases, Mimicry ransomware could be distributed in several ways. The main distribution technique is typically via email spam where the ransomware is contained as an attached file.
In order to seem legit and increase the chance of the user opening the attached files, such emails usually impersonate representatives of well-known companies or in other cases governmental institutions. Keep in mind that the attached malicious files usually come as documents, archives, images and other commonly used file formats. If the text body of the email is trying too hard to persuade the user to open the attachment, it is a clear indication that the email is not coming from a legitimate sender but from malicious spammers.
For the sake of your security, you could use a free online file extractor each time you download new file on your PC. Such tools could quickly identify whether a file contains malicious elements by scanning its code for specific signs.
The Mimicry ransomware can also infiltrate computer systems with the help of infected web pages. Threat actors could inject the malicious code into the source code of target web pages or may even set them to download it directly on targeted systems. They could also create copies of some pages and modify their components so they can download automatically the ransomware after a user visits the corrupted page. URLs of such web pages could be posted on social media channels, send in email spam or spread via instant messaging services. Potentially unwanted programs that alter browser settings and cause numerous redirects to sites of unknown origin are also employed by ransomware operators in their distribution campaigns.
Mimicry Ransomware Infection Details
The infection begins with Mimicry’s payload running on the infected system. The ransomware is typically aiming to modify crucial system settings for the purpose of achieving persistence. In most cases ransomware pieces such as Mimicry add malicious values under the registry sub-keys Run and RunOnce which will ensure its automatic execution on each Windows system start.
Mimicry ransomware could also scan the system for particular details so it can then send them to its command and control server. Once Mimicry establishes a connection with its server, it may drop additional malicious files on the compromised host.
At the end of the infection process, the crypto virus will typically drop a ransom note file to blackmail victims into paying a ransom for a decryption solution that can decrypt the .good encrypted files. The message could be found in a file named HOW_TO_RECOVER_FILES.txt.
The ransom note of the Mimicry ransomware reads the following:
Your personal identifier: U3XXX
Your are now! Just by important files is encrypted security of due to a problem with your the PC!
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins . The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
The this us using the contact email address: firstname.lastname@example.org
the Free decryption as with the guarantee!
Before paying you can send us up to 3 files for free decryption.
Total size of The files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register You, click’Buy bitcoins’, and the select the seller by payment method and price:
* Also you CAN OTHER places the find to the buy Bitcoins and the beginners guide found here:
http: // www .coindesk.com / information / how-i-CAN-the buy-bitcoins
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your * files is with the help of a cause THIRD, Parties may Increased price
(the add for They Their fee to Our) or you CAN Become a victim of a scam a.
Here is how the ransom note of Mimicry Ransomware looks like:
Remove Mimicry Ransomware and Restore .good Files
The step-by-step removal guide below provides both manual and automatic approaches for the removal of Mimicry ransomware. Keep in mind that the removal of Mimicry crypto virus is not an easy task and it may be better to use an anti-malware tool.