What is the Mailto ransomware?
On the last day of January 2020, things went bad at Toll. Very bad, judging from the lengths the company has had to go to, in order to carry on business while the IT team restored functionality of critical systems.
We heard on the grapevine that the multi-billion dollar logistics company was still using manual processes several days after the malware first took hold, possibly indicating the severity of the compromise was much higher than initial reports indicated. We can only imagine the lost revenue as clients turned to alternate suppliers for several weeks.
A week after the compromise, Toll and the Australian Cyber Security Centre (ACSC) indicated that it had been attacked using the Mailto ransomware. We thought we would explain just what that is, how it works and what you can do in your business to combat it.
What is Mailto?
Also known as NetWalker, Mailto is ransomware. That means it will encrypt all the common file types it can find on your computer outside the operating system, rendering them unusable. Then it will deliver a message to your desktop informing you that the attacker will decrypt them for a ransom fee.
How does it work?
Encrypted files are renamed with the attacker’s preferred email address for communications and a file extension that is unique to each compromised user.
In this particular case, the attacker promises that by emailing any one encrypted file to them, the user can have it decrypted as proof that the attacker is willing and able to “do business” with them and deliver a method for unlocking the files.
Generally, only the attacker can decrypt data that has been encrypted by their software. Mailto and similar programs use very strong encryption algorithms that are practically impossible to unlock without the encryption key.
How does it get in to your system?
For the malware to spread, it first needs a foothold in your network.
Little is yet known about the attack vector for the Toll attack, but typically Mailto is spread through compromised email attachments. The ACSC indicates that user credential theft and/or a brute force attack on passwords in combination with usernames may have been used in the Toll case.
If distributed via email, Mailto infects a user’s system through the activation of an infected payload masquerading as a legitimate file. When done with some planning, users can be led to believe a file is legitimate and be convinced to click on it, bypassing several security controls.
After initial infection, it requires no user interaction as it traverses the connected files and folders of the network that it can access, encrypting files with selected file extensions like .docx, .xlsx and .jpg.
What can you do about it?
We are at pains to make the point that cyber criminals can never be trusted – in many cases they provide no decryption process, even after a ransom payment.
If their ransom demands are met, you may receive nothing and have to write off your lost data. The only way to easily restore your files is with a backup.
We recommend prior preparation to prevent serious consequences.
The only way to easily restore your files is with a properly managed backup regime that carries multiple file versions. Your Recovery Point Objective (the maximum amount of data that you are willing to put at risk in the event of a serious business interruption like a ransomware attack) should be defined by your IT team and regularly tested so that you are sure you can restore 95%+ of all your files quickly.
Application Whitelisting should be considered. In those organisations where we have implemented Application Whitelisting, the occurrence of ransomware has dropped to zero.
We also offer Security-as-a-Service whereby we add a layer of external monitoring and event action as a complement to your other IT systems and internal team.
Finally, when was the last time your company practiced a Disaster Recovery event? It’s as important as a fire drill – even more so since most fires at work are small and easily controlled. A Disaster Recovery simulation provides critical training to the team securing your users so that when the real thing occurs, they’re ready to react without panic or confusion.