Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

An In-depth Look at MailTo Ransomware, Part Three of Three

Change theme to light An In-depth Look at MailTo Ransomware, Part Three of Three
3 Minute Read by Joshua Deacon, Lloyd Macrohon

Overview

In Part One of this series, we discussed how MailTo ransomware installs and configures itself on the victim's system and in Part Two we discussed how the malware, executes and injects itself into the system. In this post, we take a look at what makes ransomware different than other malware and gives it its deadly bite, encryption.

Encryption

Just before the encryption routine begins, the MailTo ransomware performs the following tasks:

  • Adjusts token privileges to give itself “SeDebugPrivilege” and “SeImpersonatePrivilege”.
  • Collects tokens of logged on users for use of impersonation
  • Scan system handle information for later use with removing processes/services from holding files from the ransomware.

We found that the ransomware uses this implementation of curve25519:

This is implemented to create a key to be used with a ChaCha stream cipher to encrypt files. It is not possible to decrypt any encrypted files without the private key of the ransomware owners.

MailTo encrypts the following locations using a ChaCha stream cipher:

  • Local Disk Drives
  • Network Shares
  • Hidden Network Shares (IPC$, Admin$)

The MailTo ransomware has three main threads that kick off the encryption, each thread having its own purpose. One of these threads is aimed at encrypting the local drive while the other two are targeted towards encrypting shared network locations.

Encryption Thread 1

The first thread created for the encryption process serves the roll of encrypting the local disk drives via the API function “GetLogicalDriveStringsW”. This function will return a list of drives and shared network locations. This routine will begin creating threads for every file and directory to encrypt on the found drives. It attempts to connect with the network locations using the current user’s access token and via the API functions “WNetUseConntectionW” and “WNetAddConnection2W”.

Encryption Thread 2

The second thread created will again perform “GetLogicalDriveStringsW” to get a list of drives as well as shared network locations. In this thread, the drives are filtered for only network drives. Before connecting to the network locations, the ransomware call “ImpersonateLoggedOnUser” in order to attempt to gain access to the network locations using different access tokens collected from logged-in users.

Encryption Thread 3

The third thread will act similar to the second created thread in terms of impersonating all currently logged on users but will collect shared network drives in a different manor. “GetNetShares” and “WNetEnumResourceW” are used to iterate over shared network drives and paths. “GetNetShares” will also pick up hidden network shares such as “IPC$” and “Admin$”.  

File Encryption

When it comes to encrypting an individual file, the ransomware is quite robust in ensuring that it will encrypt that file. When we say this, we mean if a process or service has a hold on a file that the ransomware wants to encrypt, the ransomware will kill that process or service in order to do so. If the ransomware does not have access to a file or network path, it will iterate all duplicated access tokens of users logged onto the machine and use that token in an attempt to encrypt the file. If the ransomware was shut down and only partially encrypted a file, but later executed again, it will check the last four bytes of the file for a CRC32 hash of their public ECC key. If the four bytes match the CRC32 hash of their public key, the ransomware will know that the file was fully and successfully encrypted.  

Finalization

Ransomware Note

When the MailTo ransomware has finished encrypting, it will open notepad with a ransomware note.

Ransomnote

Figure 1 – Ransomware Note

 

Uninstallation

After the ransomware note has been displayed, MailTo deletes the following entries from the system if they exist:

  • Files
    • Program Files (x86)/<uniqueName>/< uniqueName.exe>
    • Program Files/< uniqueName >/< uniqueName.exe>
    • C:\Users\<username>\AppData\Roaming\<uniqueName>\<uniqueName.exe>
  • Registry Keys
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mircrosoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER \SOFTWARE\Mircrosoft\Windows\CurrentVersion\Run

Shadow Copy Deletion

Shadow copy deletion occurs after MailTo uninstalls itself from the system. “vssadmin.exe” is used with the following command for shadow copy deletion:

“vssadmin.exe delete shadows /all /quiet”

Shadow copy deletion using this simple vssadmin command is typical of many ransomware. Interestingly, shadow copy deletion also occurs one additional time during the execution of the injected entry point of Explorer.exe (2).

ShadowCopiesAnomoly

Figure 2 – DeleteShadowCopies() call inside of Explorer.exe (2)

Conclusion

The MailTo ransomware is complex ransomware which effectively does its job of encrypting files. What makes MailTo tricky is its ability to leave no stone unturned when it comes to encrypting files. The ransomware has been designed in a careful way to ensure that its privileges are exhausted to the fullest extent by enumerating every logical drive and network share through impersonated user accounts. The ransomware also makes sure that it destroys any handles to files that are not its own. Even if a service or process is making changes to a file, the ransomware will eliminate that process/service and encrypt the file. The ransomware also sets up a persistent registry key and only removes it once the encryption has been complete.

MailTo does its best to minimize its detection vectors by deleting itself, hiding its imports, and injecting into processes using stealthy techniques. MailTo avoids the use of suspicious Windows APIs as much as it can by using the undocumented windows functions and keeping away from the Windows crypto API. Even though MailTo has its flaws such as with service termination, this ransomware will successfully encrypt files on a system and mapped network drives without the possibility of decrypting them without the ransomware private key.

MailTo is getting more and more popular, so stay safe and keep offline or unconnected backups of your important data.

Full Series

An In-depth Look at MailTo Ransomware, Part One
An In-depth Look at MailTo Ransomware, Part Two

IOC

MailTo Sample SHA256: 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Lessons from a Honeypot with US Citizens’ Data
2024 Trustwave Risk Radar Report: Cyber Threats to the Retail Sector
Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo