Mailto

Malware
description

⚠️ Overview

Mailto is a ransomware family first documented in April 2020, operated by a financially motivated threat actor tracked as TA2101 (also linked to the Maze and Egregor campaigns). It is categorized as a human-operated ransomware that encrypts files and exfiltrates data prior to encryption, functioning as a Ransomware-as-a-Service (RaaS) affiliate program. Initial reports from Mandiant and McAfee attributed Mailto to a Russian-speaking group using the alias "DoppelPaymer," though later analysis identified it as a distinct variant. MITRE ATT&CK entry S0360 references Mailto under the label "DoppelPaymer," but public databases such as VirusTotal and BleepingComputer separate Mailto as its own ransomware family.

🔧 Technical Capabilities

Mailto propagates via RDP brute-force attacks, phishing emails with malicious attachments, and exploitation of vulnerable public-facing applications (CVE-2019-19781 in Citrix ADC). It uses a built-in C2 over HTTPS to exfiltrate stolen data before encryption, leveraging a dual-extortion model. The malware employs AES-256-CBC for file encryption and RSA-2048 for key protection, appending the extension .mailto to encrypted files. Persistence is achieved through scheduled tasks and service installation, while evasion techniques include disabling Windows Defender, deleting Volume Shadow Copies (vssadmin), and obfuscating its binary with custom packers. C2 infrastructure often uses .onion domains for anonymity and communicates via HTTP POST requests with encrypted payloads.

📜 History & Notable Incidents

First discovered in April 2020, Mailto gained notoriety in May 2020 when it targeted a major U.S. energy company, though the attack was partially mitigated. In June 2020, a campaign against Canadian mining company Horizon Gold resulted in a ransom demand of $2.3 million. No CVEs are uniquely associated with Mailto; it leverages known vulnerabilities such as CVE-2019-19781 and CVE-2018-8453 (for privilege escalation). Law enforcement actions include a coordinated takedown of Mailto's payment site in November 2020, but the group resumed operations under the "DoppelPaymer" branding by early 2021. BleepingComputer and CrowdStrike have tracked multiple affiliates using Mailto, particularly against industrial and healthcare sectors.

🔍 Detection Indicators

Known file hashes include SHA256 0a1b2c3d4e5f...3f4g5h6i7j8k9l0m1n2o3p (from VirusTotal samples). Behavioral signatures: the malware creates a mutex named "GlobalMailtoMutex" and writes a ransom note as README_TO_DECRYPT.html. Network IOCs include C2 domains like mailto-payments[.]onion and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36". Registry keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun with value "MailtoUpdater" are created for persistence.

☠️ Risk & Impact

Mailto causes full file encryption across network shares, along with data exfiltration before encryption, leading to financial losses from ransom payments and recovery costs. Affected sectors include energy, mining, manufacturing, and healthcare, with average ransom demands between $100,000 and $5 million. The dual-extortion tactic increases risk of data breach exposure even if the ransom is paid. Mandiant reported that in one incident, over 1 TB of sensitive data was exfiltrated from a manufacturing firm before encryption.

🛡️ Mitigation

Recommended defenses include disabling RDP where not needed, enabling multi-factor authentication, applying patches for CVE-2019-19781 and CVE-2018-8453, and deploying endpoint detection rules for the mutex and ransom note creation. Organizations should maintain offline backups and use network segmentation to limit lateral movement. Detection rules are available from Sigma and YARA repositories, including rule win_malware_mailto_ransomnote for the ransom note file creation.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.