Elpaco is a variant of the Mimic ransomware that was discovered by Kaspersky in a recent incident response case.
The malware used a 7-Zip installer mechanism for ransomware attacks and abused the Everything library for easy-to-use GUI customization.
The artifact also has features for disabling security mechanisms and running system commands.
DC.exe is called during runtime by svhostss.exe, with the /D available command for disabling.
The ransomware operator can select entire drives for encryption, perform a process injection to hide malicious processes, customize the ransom note, change the encryption extension, set the order of encryption based on the original file format, and exclude specific directories, files or formats from encryption.
Elpaco encrypts the victim’s files with the stream cipher ChaCha20, and the key for this cipher is encrypted by the asymmetric encryption algorithm RSA-4096.
Mimic variants, including Elpaco, have been used by threat actors on a massive scale targeting multiple countries worldwide.
Elpaco deletes itself from infected machines after encrypting the files to evade detection and analysis.
Kaspersky products detect the threat described in this article with the following verdicts: HEUR:Trojan-Ransom.Win32.Generic (dropper) and HEUR:Trojan-Ransom.Win32.Mimic.gen (svhostss.exe).
The TTPs identified from the malware analysis include Network Share Discovery, Command and Scripting Interpreter, Data Encrypted for Impact, Service Stop, Inhibit System Recovery, and others.