MAILTO ransomware terminates multiple processes and services. It does this to release the handle on target files and ensure successful encryption. In addition, it avoids encrypting files with certain strings and extensions.
For the technical details of the ransomware, please refer to the Threat Encyclopedia .
Solution Coverage
File-based Signature
Detection Name | Pattern Version |
---|---|
Ransom.Win32.MAILTO.AB | 15.655.00 |
Ransom.Win32.MAILTO.AB.note | 15.651.00 |
Predictive Machine Learning
Detection Name | Pattern Version |
---|---|
TROJ.Win32.TRX.XXPE50F13009 | In-the-Cloud |
Behavior Monitoring
Detection Name | Pattern Version |
---|---|
Malware Behavior Blocking | 1.979.00 |
Intrusion Prevention Rules in Deep Security
Rules |
---|
1007598 - Identified Possible Ransomware File Rename Activity Over Network Share |
1007912 - Identified Possible Ransomware File Rename Activity Over Network Share – Client |
1007596 - Identified Possible Ransomware File Extension Rename Activity Over Network Share |
1007913 - Identified Possible Ransomware File Extension Rename Activity Over Network Share – Client |
Sandbox
Detection Name | Pattern Version |
---|---|
VAN_RANSOMWARE.UMXX | n/a |
What should customers do?
- Implement the best practice configuration against ransomware for your Trend Micro products. Refer to following KB articles:
- Worry-Free Business Security
- ApexOne: Best Practice Guide for malware protection for Trend Micro Apex One™ as a Service and Trend Micro Apex One
- OfficeScan
- Trend Micro Endpoint Application Control: Best Practice Configuration against Ransomware and other Malware Threats with Endpoint Application Control (TMEAC) 2.0 Patch 1
- SMID: How to enable ransomware category in ScanMail for IBM Domino (SMID) 5.6 for Windows
- SMEX: Ransomware protection using ScanMail for Exchange (SMEX)
- TMCAS: Enabling the Ransomware Protection feature on Trend Micro Cloud App Security (TMCAS)
- IMSVA: Enabling the Ransomware Protection feature in InterScan Messaging Security (IMSS/IMSVA)
- HES: Ransomware protection using Hosted Email Security (HES)
- IWSVA: Configuring URL Filtering policy to block Ransomware on InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2
For other recommendations, please refer to Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
- Secure the usage of Sysadmin tools: Best Practices: Securing Sysadmin Tools.
- Contact Trend Micro Technical Support for further assistance.