Skulk Mailto Ransomware: An Interesting Anatomy of Cryptography, Eluding Anti-Ransomware Technologies
11:30 – 12:00(SGT) Friday 4 December, 2020
Even though Ransomware has been around since 1996, at present, it is the most sophisticated threat. The situation changed over the decade because of the techniques, tactics and procedures (TTPs) used by the malware authors have evolved a lot and are getting better day- by-day.
In February 2020, an Australian transportation company called Toll Group was hit by a notorious ransomware attack identified as Mailto. This infection reportedly spread to over 1000 servers and caused major disruption for the company and its clients. The same ransomware family was seen spreading through phishing emails, targeting people’s fear of COVID-19 pandemic. However, the most interesting trait of Mailto is the defence evasion of Anti-Ransomware technologies and implementation of strong cryptography algorithm.
This paper will focus on how Mailto ransomware evades the anti-ransomware technologies and the internals of encryption mechanism used by it. In this talk we will touch upon the following points
- Mailto uses a special Process Hollowing technique which can bypass most of the security products, especially the sophisticated Anti-Ransomware detection technologies easily. The Windows API sequence used by this malware while performing this operation is completely different from the normal process hollowing, which we have seen over the years.
- Demo: we will demonstrate the technique via short video clip and share the sequence of those APIs which will help the security vendors and products to monitor and block these types of evading techniques.
- It also used famous cha-cha aka salsa20 for the symmetric encryption, but for asymmetric encryption, it has implemented the special Elliptic-curve Diffie- Hellman (EC-DH) i.e. curve25519-donna.
- We will also explain the end to-end encryption process used by Mailto, which includes key identification, EC-DH algorithm identification, key-exchange, secret key agreement. We will touch base on the possibility of decryption mechanism as well.
Goutam Tripathy
Quick Heal Technologies Ltd.
Goutam Tripathy is currently working as a Senior Security Researcher at Quick Heal Security Labs. His main responsibilities include conducting research on trending ransomware, reverse their encryption routine, and providing an exhaustive analysis of different kinds of malware. He has passionate about analyzing security vulnerability and related exploits. He also contributes his research to Quick Heal blogs.
Priyanka Shinde
Quick Heal Technologies Ltd.
Priyanka Shinde is currently working as a Senior Security Researcher at Quick Heal Security Labs. She is very keen and passionate about analyzing trending malware families. Her responsibilities include research on different malware and ransomware families, providing in-depth analysis on them, and decryption support in case of ransomware.
Sponsors and Supporting Organizations
Diamond Sponsors
Platinum Sponsor
Networking Lounge Sponsor
Supporting Organization
Associate Sponsors