The Australian Cyber Security Centre (ACSC) has released a security advisory and guidance on Mailto ransomware incidents. Mailto, also known as Kazakavkovkiz, belongs to the KoKo ransomware family.
Security experts from ACSC have not been able to confirm the initial intrusion vector of Mailto ransomware attacks. However, the experts said actors likely used phishing and password spray attacks originally to compromise user accounts.
As a result, the actors were then able to leverage the compromised accounts to send additional phishing emails to the user’s address book to spread the malware.
The ACSC was also unable to confirm how Mailto is spread laterally across victims’ networks, but will continue to monitor the situation.
Indicators of Compromise (IoCs)
The ACSC also provided a raw sample of Indicators of Compromise (IoC) of the Mailto malware in the advisory.
To help safeguard against Mailto ransomware attacks, the ACSC recommends the following actions:
- Update security appliances and scan for malicious indicators.
- Implement “Essential Eight” security controls*.
- Email content scanning.
- Network segmentation.
- Alert and educate staff.
- Report incidents.
The Essential Eight security controls include: application whitelisting, patch applications, lock down Microsoft Office macros, and application hardening.
In addition, organizations should also restrict admin privileges, enforce multi-factor authentication, patch operating systems and perform daily backups.
- Ekans ransomware targets industrial control systems
- Russian cyber activity targets critical infrastructure and energy sectors
- Triton malware attacks critical industrial control systems
- WannaCry, Petya and Copycat Ransomware Expose Good History Lessons for Small Business and Enterprise Security
- Travelex hit with major ransomware attack
- Attackers abuse ConnectWise Control software to deliver Zeppelin ransomware