Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

An In-depth Look at MailTo Ransomware, Part Three of Three


In Part One of this series, we discussed how MailTo ransomware installs and configures itself on the victim's system and in Part Two we discussed how the malware, executes and injects itself into the system. In this post, we take a look at what makes ransomware different than other malware and gives it its deadly bite, encryption.


Just before the encryption routine begins, the MailTo ransomware performs the following tasks:

  • Adjusts token privileges to give itself “SeDebugPrivilege” and “SeImpersonatePrivilege”.
  • Collects tokens of logged on users for use of impersonation
  • Scan system handle information for later use with removing processes/services from holding files from the ransomware.

We found that the ransomware uses this implementation of curve25519:

This is implemented to create a key to be used with a ChaCha stream cipher to encrypt files. It is not possible to decrypt any encrypted files without the private key of the ransomware owners.

MailTo encrypts the following locations using a ChaCha stream cipher:

  • Local Disk Drives
  • Network Shares
  • Hidden Network Shares (IPC$, Admin$)

The MailTo ransomware has three main threads that kick off the encryption, each thread having its own purpose. One of these threads is aimed at encrypting the local drive while the other two are targeted towards encrypting shared network locations.

Encryption Thread 1

The first thread created for the encryption process serves the roll of encrypting the local disk drives via the API function “GetLogicalDriveStringsW”. This function will return a list of drives and shared network locations. This routine will begin creating threads for every file and directory to encrypt on the found drives. It attempts to connect with the network locations using the current user’s access token and via the API functions “WNetUseConntectionW” and “WNetAddConnection2W”.

Encryption Thread 2

The second thread created will again perform “GetLogicalDriveStringsW” to get a list of drives as well as shared network locations. In this thread, the drives are filtered for only network drives. Before connecting to the network locations, the ransomware call “ImpersonateLoggedOnUser” in order to attempt to gain access to the network locations using different access tokens collected from logged-in users.

Encryption Thread 3

The third thread will act similar to the second created thread in terms of impersonating all currently logged on users but will collect shared network drives in a different manor. “GetNetShares” and “WNetEnumResourceW” are used to iterate over shared network drives and paths. “GetNetShares” will also pick up hidden network shares such as “IPC$” and “Admin$”.  

File Encryption

When it comes to encrypting an individual file, the ransomware is quite robust in ensuring that it will encrypt that file. When we say this, we mean if a process or service has a hold on a file that the ransomware wants to encrypt, the ransomware will kill that process or service in order to do so. If the ransomware does not have access to a file or network path, it will iterate all duplicated access tokens of users logged onto the machine and use that token in an attempt to encrypt the file. If the ransomware was shut down and only partially encrypted a file, but later executed again, it will check the last four bytes of the file for a CRC32 hash of their public ECC key. If the four bytes match the CRC32 hash of their public key, the ransomware will know that the file was fully and successfully encrypted.  


Ransomware Note

When the MailTo ransomware has finished encrypting, it will open notepad with a ransomware note.


Figure 1 – Ransomware Note



After the ransomware note has been displayed, MailTo deletes the following entries from the system if they exist:

  • Files
    • Program Files (x86)/<uniqueName>/< uniqueName.exe>
    • Program Files/< uniqueName >/< uniqueName.exe>
    • C:\Users\<username>\AppData\Roaming\<uniqueName>\<uniqueName.exe>
  • Registry Keys
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mircrosoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER \SOFTWARE\Mircrosoft\Windows\CurrentVersion\Run

Shadow Copy Deletion

Shadow copy deletion occurs after MailTo uninstalls itself from the system. “vssadmin.exe” is used with the following command for shadow copy deletion:

“vssadmin.exe delete shadows /all /quiet”

Shadow copy deletion using this simple vssadmin command is typical of many ransomware. Interestingly, shadow copy deletion also occurs one additional time during the execution of the injected entry point of Explorer.exe (2).


Figure 2 – DeleteShadowCopies() call inside of Explorer.exe (2)


The MailTo ransomware is complex ransomware which effectively does its job of encrypting files. What makes MailTo tricky is its ability to leave no stone unturned when it comes to encrypting files. The ransomware has been designed in a careful way to ensure that its privileges are exhausted to the fullest extent by enumerating every logical drive and network share through impersonated user accounts. The ransomware also makes sure that it destroys any handles to files that are not its own. Even if a service or process is making changes to a file, the ransomware will eliminate that process/service and encrypt the file. The ransomware also sets up a persistent registry key and only removes it once the encryption has been complete.

MailTo does its best to minimize its detection vectors by deleting itself, hiding its imports, and injecting into processes using stealthy techniques. MailTo avoids the use of suspicious Windows APIs as much as it can by using the undocumented windows functions and keeping away from the Windows crypto API. Even though MailTo has its flaws such as with service termination, this ransomware will successfully encrypt files on a system and mapped network drives without the possibility of decrypting them without the ransomware private key.

MailTo is getting more and more popular, so stay safe and keep offline or unconnected backups of your important data.

Full Series

An In-depth Look at MailTo Ransomware, Part One
An In-depth Look at MailTo Ransomware, Part Two


MailTo Sample SHA256: 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More