DETECTION NAME

PATTERN VERSION

Ransom.Win32.MAILTO.AB

15.655.00

Ransom.Win32.MAILTO.AB.note

15.651.00

DETECTION NAME

PATTERN VERSION

TROJ.Win32.TRX.XXPE50F13009

In-the-Cloud

DETECTION NAME

PATTERN VERSION

Malware Behavior Blocking

1.979.00

RULES

1007598 - Identified Possible Ransomware File Rename Activity Over Network Share

1007912 - Identified Possible Ransomware File Rename Activity Over Network Share – Client

1007596 - Identified Possible Ransomware File Extension Rename Activity Over Network Share

1007913 - Identified Possible Ransomware File Extension Rename Activity Over Network Share – Client

DETECTION NAME

PATTERN VERSION

VAN_RANSOMWARE.UMXX

N/A

Detection

SHA1

Ransom.Win32.MAILTO.AB

E393A9ECF0D0A8BABAA5EFCC34F10577AFF1CAD1

Ransom.Win32.MAILTO.AB.note

81e44a55c2af98080d26be11923dbaea7c1b38d8

Ransom.Win32.MAILTO.AB.note

2BAAC9E0940E99FC44D319F9F2F3DCE323702914

MailTo Ransomware Information

Product / Version includes:

OfficeScan XG , OfficeScan 11.0 , Apex One 2019 , Apex One as a Service All , Deep Security All , Worry-Free Business Security Services All

Last updated: 2025/05/08

Solution ID: KA-0010833

Category: Remove a Malware / Virus

Summary

Observed in January 2020, this ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. There are incidents where the threat can be customized by the attacker to avoid detection by deleting itself or by uninstalling the installed security software. Detailed information can be seen in this Threat Encyclopedia entry.

Key identifiers that this variant has run are the encrypted files and ransom note will be the following:

Encrypted Files
Files will be encrypted using the following names:
{original file name}.mailto[kkeessnnkkaa@cock.li].{5 random characters}
Ransom note
The ransom note will have this format:
{Enrypted Directory}\{5 Random Characters}-Readme.txt
image

The {5 random characters} in the ransom note and encrypted filenames will be unique for each instance that the ransomware runs.
The following combinations were seen in three different machines:

33c1a
3e894
e44eb

Solutions Available

Virus Pattern

DETECTION NAME	PATTERN VERSION
Ransom.Win32.MAILTO.AB	15.655.00
Ransom.Win32.MAILTO.AB.note	15.651.00

Predictive Machine Learning

DETECTION NAME	PATTERN VERSION
TROJ.Win32.TRX.XXPE50F13009	In-the-Cloud

Behavior Monitoring

DETECTION NAME	PATTERN VERSION
Malware Behavior Blocking	1.979.00

Intrusion Prevention Rules in Deep Security

RULES
1007598 - Identified Possible Ransomware File Rename Activity Over Network Share
1007912 - Identified Possible Ransomware File Rename Activity Over Network Share – Client
1007596 - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007913 - Identified Possible Ransomware File Extension Rename Activity Over Network Share – Client

Sandbox

DETECTION NAME	PATTERN VERSION
VAN_RANSOMWARE.UMXX	N/A

Indicators of Compromise

Detection	SHA1
Ransom.Win32.MAILTO.AB	E393A9ECF0D0A8BABAA5EFCC34F10577AFF1CAD1
Ransom.Win32.MAILTO.AB.note	81e44a55c2af98080d26be11923dbaea7c1b38d8
Ransom.Win32.MAILTO.AB.note	2BAAC9E0940E99FC44D319F9F2F3DCE323702914

Prevention and Containment

Containment is possible by installing a Trend Micro endpoint agent such as OfficeScan, Apex One, Deep Security, or Worry-Free Business Security, and configuring to best practices.

Make sure to configure your solutions to its best practice settings, making sure that the following key features are enabled for your Endpoint Security:

Smart Scan – Threat patterns are stored in cloud and are updated every hour.
Predictive Machine Learning – Proactive solution for threats that are not yet known to our patterns
Behavior Monitoring – Monitors process activity for any malicious attempts to change critical settings and unauthorized file modification
Agent Self Protection – If enabled and configured with a password, users and processes will not be able to make unauthorized changes to your security software.

Recovery

Worry Free Business Security, Apex One, or Deep Security will be able to clean up the ransomware notes left.

File recovery is not possible post infection as after evaluating the threat, there is no known way to decrypt the files.

It is recommended to restore from back-up all encrypted files. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state and is enabled by default.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

MailTo Ransomware Information

MailTo Ransomware Information

Product / Version includes:

Summary