The ACSC recommends organisations consider the following actions:
Update security appliances and scan for malicious indicators
The ACSC’s primary recommendation for detecting and preventing the spread of the Mailto ransomware is to update anti-virus and other security tools.
You should apply the latest Indicators of Compromise (IOCs) to your organisation’s gateway and firewalls for both inbound and outbound traffic. Organisations should update anti-virus signatures, and conduct scanning for indicators using anti-virus or host based security tools.
Implement Essential Eight security controls
The Centre recommends the implementation of the ASD Essential Eight mitigations to mitigate threats to ICT systems. Specifically, to combat the threat of ransomware to ICT systems, agencies should implement the following mitigations.
Patch operating systems
Maintaining a regular patch process (as detailed in Assessing Security Vulnerabilities and Applying Patches) restricts the availability of exploits that ransomware can use to move laterally within a network, limiting the number of hosts impacted by a successful infection.
The Centre recommends maintaining isolated offline backups of your network to allow recovery in the event of the widespread deployment of ransomware.
Implement additional security controls
The ACSC publishes a comprehensive list of Strategies to Mitigate Cyber Security Incidents. To specifically combat the threat of ransomware to ICT systems, agencies should implement the following mitigations.
Email content scanning
It is possible that Mailto spreads via emails containing malicious attachments. Email content filters and dynamic email analysis sandboxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise. To complement this, anti-virus software using heuristics and reputation ratings should also be installed to identify and prevent malicious attachments that do make it to end users.
Organisations should partition networks into smaller sections in order to separate and segregate communications between specific hosts and services. Appropriate segmentation and segregation will limit the extent that a successful ransomware infection has on a network.
More details on considerations and techniques to perform network segmentation and segregation can be found in Implementing Network Segmentation and Segregation.
Develop a plan
Create a response plan to allow your organisation to respond in the event of a ransomware infection. Most importantly, affected machines/networks should be immediately quarantined and disconnected from the internet.
Alert and educate staff
Consider sending out an organisation-wide alert to raise awareness of the dangers associated with opening attachments on unusual emails. Consider implementing an education program to improve staff awareness of cyber security, or how to spot suspicious emails. For more details on how to implement a successful staff awareness program, see Improving Staff Awareness.
If you have any questions regarding this guidance you can contact us via 1300 CYBER1 (1300 292 371) or https://www.cyber.gov.au/acsc/contact.
To report a cyber security incident go to https://cyberasd.govcms.gov.au/acsc/report or call 1300 CYBER1 (1300 292 371)
Indicators of Compromise (IoCs)
For indicators of compromise, please refer to the CSV file attached below:
- 2020-003 ACSC Indicator Release TLP WHITE (CSV), updated 7 February 2020