The Elpaco ransomware, a variant of Mimic, leverages RDP brute-forcing and the Zerologon vulnerability for initial access and privilege escalation. It then employs the Everything library to provide a user-friendly GUI for customizable malicious operations.
These operations include disabling security measures and executing system commands, as the ransomware’s unique feature is its ability to easily tailor attacks through this intuitive interface.
It is disguised as a 7-Zip installer and leverages the legitimate Everything library to identify target files by extracting a malicious payload (Everything64.dll) using a hardcoded password and dropping it in the %AppData%\Local directory.
Using sophisticated methods such as multi-threaded encryption and code obfuscation, this payload, which is most likely a variant of the Mimic ransomware, encrypts user data and avoids detection simultaneously.
The ransomware sample leverages the Elpaco structure to unpack and execute its components, including the Defender Control tool (DC.exe) to disable Windows Defender, which drops a session key (session.tmp) for encryption resumption and utilizes the main console (svhostss.exe) to perform malicious actions.
GUI (gui40.exe) allows for customization of ransomware properties, process injection, ransom note modification, encryption extension changes, and exclusion of specific files/directories.
In addition to this, it enables the killing of processes and the execution of system commands, which increases the threat’s adaptability and customization capabilities.
The Elpaco ransomware leverages a custom configuration file system, allowing operators to tailor attacks by employing a console interface to gather system information, including drives and shares.
Registry entries are created by the malicious software in order to persist and execute, and it also associates a custom file extension with the ransom note.
It utilizes legitimate Windows APIs for file operations and employs the Everything search tool for file identification. However, no explicit data exfiltration mechanisms were observed in the analyzed samples.
The ransomware encrypts files using ChaCha20 with an RSA-4096 encrypted key, which logs its activities to MIMIC_LOG.txt and stores a session key in session.tmp.
Post-encryption, it securely erases its executables and other files, including svhostss.exe, using fsutil LOLBin to prevent recovery, while the lack of the RSA private key hinders file decryption.
YARA rules were developed to detect the Elpaco dropper and console interface, focusing on file types, strings, and library imports, which were applied to public sources to identify threat actors using Elpaco and other Mimic variants.
Kaspersky analysis revealed widespread activity across multiple countries, with a surge in Mimic appearances starting in August 2023. The primary targets were the United States, Russia, the Netherlands, Germany, and France, although the impact extended to various other regions.
The Elpaco ransomware, a variant of the Mimic family, leverages the Everything DLL for file discovery. Its user-friendly interface enables customization and configuration export.
While its encryption algorithm renders decryption without the private key impossible, Elpaco’s self-deletion post-encryption complicates analysis, which has been widely deployed globally, underscoring its significance as an ongoing threat.
