Skip to main content

2020-003: Mailto ransomware incidents

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is aware of recent ransomware incidents involving a ransomware tool known as ‘Mailto’ or ‘Kazakavkovkiz’. Mailto belongs to the KoKo ransomware family.

Alert status

At this time, the ACSC is unaware whether these incidents are indicative of a broader campaign.


Currently, the ACSC has limited information about the initial intrusion vector for Mailto infections.

There is some evidence that Mailto actors may have used phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users address book to spread the malware.

There is currently limited information from this compromise on how the malware is spread laterally across a network.

The hash of the Mailto ransomware from this incident is available in the Indicators of Compromise section of this advisory.

The ACSC is continuing to monitor the situation and will update this advisory with any additional details.

Was this information helpful?
Was this information helpful?

Thanks for your feedback!


Tell us why this information was helpful and we’ll work on making more pages like it