Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

MailTo Ransomware Information

    • Updated:
    • 25 Aug 2020
    • Product/Version:
    • Apex One 2019
    • Apex One as a Service
    • Deep Security All
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Services All
    • Platform:
Summary

Observed in January 2020, this ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. There are incidents where the threat can be customized by the attacker to avoid detection by deleting itself or by uninstalling the installed security software. Detailed information can be seen in this Threat Encyclopedia entry.

Key identifiers that this variant has run are the encrypted files and ransom note will be the following:

  • Encrypted Files
    Files will be encrypted using the following names:

    {original file name}.mailto[kkeessnnkkaa@cock.li].{5 random characters}

  • Ransom note
    The ransom note will have this format:

    {Enrypted Directory}\{5 Random Characters}-Readme.txt
    image

 
The {5 random characters} in the ransom note and encrypted filenames will be unique for each instance that the ransomware runs.
The following combinations were seen in three different machines:
  • 33c1a
  • 3e894
  • e44eb
 
Details
Public

Solutions Available

Virus Pattern

DETECTION NAMEPATTERN VERSION
Ransom.Win32.MAILTO.AB15.655.00
Ransom.Win32.MAILTO.AB.note15.651.00

Predictive Machine Learning

DETECTION NAMEPATTERN VERSION
TROJ.Win32.TRX.XXPE50F13009In-the-Cloud

Behavior Monitoring

DETECTION NAMEPATTERN VERSION
Malware Behavior Blocking1.979.00

Intrusion Prevention Rules in Deep Security

RULES
1007598 - Identified Possible Ransomware File Rename Activity Over Network Share
1007912 - Identified Possible Ransomware File Rename Activity Over Network Share – Client
1007596 - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007913 - Identified Possible Ransomware File Extension Rename Activity Over Network Share – Client

Sandbox

DETECTION NAMEPATTERN VERSION
VAN_RANSOMWARE.UMXXN/A

Indicators of Compromise

DetectionSHA1
Ransom.Win32.MAILTO.ABE393A9ECF0D0A8BABAA5EFCC34F10577AFF1CAD1
Ransom.Win32.MAILTO.AB.note81e44a55c2af98080d26be11923dbaea7c1b38d8
Ransom.Win32.MAILTO.AB.note2BAAC9E0940E99FC44D319F9F2F3DCE323702914

Prevention and Containment

Containment is possible by installing a Trend Micro endpoint agent such as OfficeScan, Apex One, Deep Security, or Worry-Free Business Security, and configuring to best practices.

Make sure to configure your solutions to its best practice settings, making sure that the following key features are enabled for your Endpoint Security:

  • Smart Scan – Threat patterns are stored in cloud and are updated every hour.
  • Predictive Machine Learning – Proactive solution for threats that are not yet known to our patterns
  • Behavior Monitoring – Monitors process activity for any malicious attempts to change critical settings and unauthorized file modification
  • Agent Self Protection – If enabled and configured with a password, users and processes will not be able to make unauthorized changes to your security software.

Recovery

Worry Free Business Security, Apex One, or Deep Security will be able to clean up the ransomware notes left.

File recovery is not possible post infection as after evaluating the threat, there is no known way to decrypt the files.

It is recommended to restore from back-up all encrypted files. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state and is enabled by default.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000264928
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.