Summary:
The Elpaco ransomware, a variant of Mimic, utilizes the Everything library for file discovery and features a customizable GUI for attackers. It employs sophisticated techniques for evasion and encryption, making it challenging to recover encrypted files. The ransomware has been observed targeting multiple countries since August 2023.
#ElpacoRansomware #MimicVariant #RansomwareThreat
The Elpaco ransomware, a variant of Mimic, utilizes the Everything library for file discovery and features a customizable GUI for attackers. It employs sophisticated techniques for evasion and encryption, making it challenging to recover encrypted files. The ransomware has been observed targeting multiple countries since August 2023.
#ElpacoRansomware #MimicVariant #RansomwareThreat
Keypoints:
Elpaco ransomware connects via RDP after a brute force attack.
It exploits the CVE-2020-1472 vulnerability (Zerologon) for privilege escalation.
The malware uses a 7-Zip installer mechanism, raising detection concerns.
Elpaco abuses the Everything library for file searching and includes a GUI for customization.
It drops files in a randomly named directory under %AppData%Local.
The malware creates registry keys for persistence and to display a ransom note at startup.
Elpaco encrypts files using the ChaCha20 cipher with RSA-4096 for key encryption.
YARA rules were developed for detecting Elpaco and its console interface.
Attacks have been observed in various countries, including the USA, Russia, and Germany.
MITRE Techniques:
Discovery (T1135): Network Share Discovery.
Execution (T1059.003): Command and Scripting Interpreter: Windows Command Shell.
Execution (T1059.001): Command and Scripting Interpreter: PowerShell.
Impact (T1486): Data Encrypted for Impact.
Impact (T1489): Service Stop.
Impact (T1490): Inhibit System Recovery.
Defense evasion (T1548.002): Abuse Elevation Control Mechanism: Bypass User Account Control.
Defense evasion (T1036): Masquerading.
Defense evasion (T1112): Modify Registry.
Defense evasion (T1562.004): Disable or Modify System Firewall.
Defense evasion (T1055): Process Injection.
Defense evasion (T1564): Hide Artifacts.
Persistence (T1547.001): Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.
IoC:
[File Hash] 61f73e692e9549ad8bc9b965e25d2da683d56dc1 (dropper)
[File Hash] 8af05099986d0b105d8e38f305efe9098a9fbda6 (svhostss.exe)
Full Research: https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/