A newly discovered Mailto (NetWalker) ransomware strain can inject malicious code into the Windows Explorer process so that the malware can evade detection.
While this ransomware first spotted in August 2019 is known as Mailto based on the extension it appends to all encrypted files, according to the analysis of one of its decryptors the ransomware’s authors dubbed it NetWalker.
Following an attack disclosed in early-February, Mailto is not only targeting home users but it also attempts compromising enterprise networks and encrypting all of the Windows devices connected to it.
Windows Explorer used to hide in plain sight
While there are a lot of malware families that use process hollowing to create a process in a suspended state and then unmap and replace its memory with malicious code, the operators behind the Mailto ransomware use a different method of achieving the same result as Quick Heal found.
Instead of creating the ‘scapegoat’ process in suspended mode, Mailto ransomware will create it in Debug mode and use debug APIs such as WaitForDebugEvent to perform the actual malicious code injection and have the explorer.exe process execute it.
After successfully injecting the malicious payload, the malware gains persistence on the compromised device by adding a registry RUN entry and deletes system shadow copies to prevent the victims from restoring their data after encryption.
The ransomware stores its configuration data including the “base64 encrypted ransom note, e-mail addresses used in the ransom note, processes that need to be killed if in execution, whitelisted paths, file names and extensions,” and everything else it needs within the .rsrc section of the JSON payload it injects within the explorer.exe.
“The ransomware and its group have one of the more granular and more sophisticated configurations observed,” Head of SentinelLabs Vitali Kremez told BleepingComputer after analyzing a Mailto ransomware sample last month.
When encrypting victims’ files, the Mailto ransomware will append an extension using the format .mailto[{mail1}].{id}. For instance, a file named 1.doc will be first encrypted and then renamed to 1.doc.mailto[[email protected]].77d8b.
Mailto also drops ransom notes containing info on what happened to the infected computer, as well as two email addresses the victim use to get the payment amount and decryption instructions.
Clears all traces after encrypting files
“After encryption, the ‘explorer.exe’ kills the parent process and deletes the original sample, the file dropped at %ProgramFiles% and also the RUN entry, eradicating the traces of its existence,” Quick Heal also discovered.
Mailto ransomware is still being analyzed and it is not yet known if there are any weaknesses in its encryption algorithm that could be used to decrypt locked files for free.
Those who had their files encrypted by Mailto (NetWalker) can find more information about this ransomware and receive support in our dedicated Mailto / Netwalker Ransomware Support & Help Topic.
In related news, Australian transportation and logistics company Toll Group disclosed that systems across business units and multiple sites were encrypted by the Mailto ransomware in February.
Also, Mailto is not the first ransomware spotted while using novel ways to fight against security solutions. A Snatch ransomware strain reboots victims’ computers into Safe Mode to disable any resident antimalware solutions and immediately starts encrypting their files once the system restarts.