MailTo, also known as Netwalker, is ransomware that is currently targeting various industries including the healthcare industry during the COVID-19 pandemic. It encrypts files, rendering them unusable, then displays a message to inform the victims that the attacker will decrypt the files for a ransom fee.

Apart from encrypting files, the attack also disables services, terminates processes, and displays messages.

Note: MailTo and similar programs use strong encryption algorithms that are practically impossible to decrypt.

With Log360, enterprises can stay ahead of these attacks by detecting them at an early stage, giving them enough time to respond and mitigate such threats.

How the MailTo ransomware attack works

With MailTo attacks, malware is spread through email attachments. The malicious payload is delivered through phishing emails or when a user downloads it from a malicious site. Let's take a closer look at how the attack takes place.

Step 1:

MailTo ransomware starts by generating a unique name with a character count based on the "namesz" field—in this case, eight characters. The payload installs in the following location:

%Program Files%\{8 random characters}\{8 random characters}.exe.

If it fails to install in the %Program Files% directory, then it gets installed in %Application Data%\{8 characters}\{8 characters}.exe

Step 2:

MailTo uses registry keys to store encryption keys and to set up a persistent backdoor in the victim's system. Once MailTo ransomware is executed, a registry key is created under:

HKEY_LOCAL_MACHINE\SOFTWARE\{8 random characters}
{8 random characters} = "{hex values}"
HKEY_CURRENT_USER\SOFTWARE\{8 random characters}
{8 random characters} = "{hex values}"

With this step, MailTo ransomware has installed itself, initialized configurations such as encryption keys, and created a backdoor, so it can relaunch itself even after a reboot.

Step 3:

After initialization, MailTo ransomware begins the process of starting a new “explorer.exe” instance and injecting a copy of itself into it. With this step, MailTo is able to:

  • Kills processes, including those that could be performing an operation on a file that could prevent the ransomware from encrypting the file.
  • Kills services, including those that could also be performing an operation that could prevent the ransomware from encrypting the file.
  • Kills scheduled tasks

This is done to benefit the attacker in creating the best environment to take the victim's data hostage.

Step 4:

During execution, MailTo ransomware makes an API call to AdjustTokenPrivileges to give itself “SeDebugPrivilege” and “SeImpersonatePrivilege.” MailTo ransomware then immediately starts to encrypt the files and renames them with the attacker's preferred email address and a file extension that is unique to each compromised user. For example, "abc.doc" might be renamed to "abc.doc.mailto@[BLOCKED}k.li].4gt31."

Step 5:

After the encryption is complete, the ransom note is created. MailTo saves a text file "4gt31-Readme.txt," and displays the message on the desktop.

Step 6:

Once the ransom note is displayed, the process %System%\vssadmin.exe delete shadows /all /quiet is executed. The command silently deletes the volume shadow copies that are stored on the victim's system. This makes it impossible for the user to restore their system to the original state.

MailTo does its best to minimize its detection vectors by deleting itself, hiding its imports, and injecting into processes using stealthy techniques.

How Log360 tackles the MailTo Ransomware attack

Log360, a comprehensive SIEM solution, comes with a real-time correlation engine that has predefined rules to detect events related to this ransomware attack. It not only detects suspicious software installations and file modifications, but also alerts the security admins who can then quickly come up with a response plan, effectively mitigating the attack.

Want to try our SIEM solution? Fill this form to schedule a personalized demo with our product experts.

Thank you. Our experts will contact you.

  • Please enter Name
  • Please enter work email address
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy. You can unsubscribe from our mails at anytime.