Observed in January 2020, this ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. There are incidents where the threat can be customized by the attacker to avoid detection by deleting itself or by uninstalling the installed security software. Detailed information can be seen in this Threat Encyclopedia entry.
Key identifiers that this variant has run are the encrypted files and ransom note will be the following:
- Encrypted Files
Files will be encrypted using the following names:{original file name}.mailto[kkeessnnkkaa@cock.li].{5 random characters}
- Ransom note
The ransom note will have this format:{Enrypted Directory}\{5 Random Characters}-Readme.txt
image
The following combinations were seen in three different machines:
- 33c1a
- 3e894
- e44eb
Solutions Available
Virus Pattern
| DETECTION NAME | PATTERN VERSION |
|---|---|
| Ransom.Win32.MAILTO.AB | 15.655.00 |
| Ransom.Win32.MAILTO.AB.note | 15.651.00 |
Predictive Machine Learning
| DETECTION NAME | PATTERN VERSION |
|---|---|
| TROJ.Win32.TRX.XXPE50F13009 | In-the-Cloud |
Behavior Monitoring
| DETECTION NAME | PATTERN VERSION |
|---|---|
| Malware Behavior Blocking | 1.979.00 |
Intrusion Prevention Rules in Deep Security
| RULES |
|---|
| 1007598 - Identified Possible Ransomware File Rename Activity Over Network Share |
| 1007912 - Identified Possible Ransomware File Rename Activity Over Network Share – Client |
| 1007596 - Identified Possible Ransomware File Extension Rename Activity Over Network Share |
| 1007913 - Identified Possible Ransomware File Extension Rename Activity Over Network Share – Client |
Sandbox
| DETECTION NAME | PATTERN VERSION |
|---|---|
| VAN_RANSOMWARE.UMXX | N/A |
Indicators of Compromise
| Detection | SHA1 |
|---|---|
| Ransom.Win32.MAILTO.AB | E393A9ECF0D0A8BABAA5EFCC34F10577AFF1CAD1 |
| Ransom.Win32.MAILTO.AB.note | 81e44a55c2af98080d26be11923dbaea7c1b38d8 |
| Ransom.Win32.MAILTO.AB.note | 2BAAC9E0940E99FC44D319F9F2F3DCE323702914 |
Prevention and Containment
Containment is possible by installing a Trend Micro endpoint agent such as OfficeScan, Apex One, Deep Security, or Worry-Free Business Security, and configuring to best practices.
Make sure to configure your solutions to its best practice settings, making sure that the following key features are enabled for your Endpoint Security:
- Smart Scan – Threat patterns are stored in cloud and are updated every hour.
- Predictive Machine Learning – Proactive solution for threats that are not yet known to our patterns
- Behavior Monitoring – Monitors process activity for any malicious attempts to change critical settings and unauthorized file modification
- Agent Self Protection – If enabled and configured with a password, users and processes will not be able to make unauthorized changes to your security software.
Recovery
Worry Free Business Security, Apex One, or Deep Security will be able to clean up the ransomware notes left.
File recovery is not possible post infection as after evaluating the threat, there is no known way to decrypt the files.
It is recommended to restore from back-up all encrypted files. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state and is enabled by default.
