Skip to main content

Advisory 2020-003: Mailto ransomware incidents


The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is aware of recent ransomware incidents involving a ransomware tool known as ‘Mailto’ or ‘Kazakavkovkiz’. Mailto belongs to the KoKo ransomware family.

At this time, the ACSC is unaware whether these incidents are indicative of a broader campaign.


Currently, the ACSC has limited information about the initial intrusion vector for Mailto infections.

There is some evidence that Mailto actors may have used phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users address book to spread the malware.

There is currently limited information from this compromise on how the malware is spread laterally across a network.

The hash of the Mailto ransomware from this incident is available in the Indicators of Compromise section of this advisory.

The ACSC is continuing to monitor the situation and will update this advisory with any additional details.


The ACSC recommends organisations consider the following actions:

Update security appliances and scan for malicious indicators

The ACSC’s primary recommendation for detecting and preventing the spread of the Mailto ransomware is to update antivirus and other security tools.

You should apply the latest Indicators of Compromise (IOCs) to your organisation’s gateway and firewalls for both inbound and outbound traffic. Organisations should update antivirus signatures, and conduct scanning for indicators using antivirus or host based security tools.

Implement Essential Eight security controls

The Centre recommends the implementation of the ASD Essential Eight mitigations to mitigate threats to ICT systems. Specifically, to combat the threat of ransomware to ICT systems, agencies should implement the following mitigations.

Patch operating systems

Maintaining a regular patch process (as detailed in Assessing Security Vulnerabilities and Applying Patches) restricts the availability of exploits that ransomware can use to move laterally within a network, limiting the number of hosts impacted by a successful infection.

Daily backups

The Centre recommends maintaining isolated offline backups of your network to allow recovery in the event of the widespread deployment of ransomware.

Implement additional security controls

The ACSC publishes a comprehensive list of Strategies to Mitigate Cyber Security Incidents. To specifically combat the threat of ransomware to ICT systems, agencies should implement the following mitigations.

Email content scanning

It is possible that Mailto spreads via emails containing malicious attachments. Email content filters and dynamic email analysis sandboxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise. To complement this, antivirus software using heuristics and reputation ratings should also be installed to identify and prevent malicious attachments that do make it to end users.

Network segmentation

Organisations should partition networks into smaller sections in order to separate and segregate communications between specific hosts and services. Appropriate segmentation and segregation will limit the extent that a successful ransomware infection has on a network.

More details on considerations and techniques to perform network segmentation and segregation can be found in Implementing Network Segmentation and Segregation.

Develop a plan

Create a response plan to allow your organisation to respond in the event of a ransomware infection. Most importantly, affected machines/networks should be immediately quarantined and disconnected from the internet.

Alert and educate staff

Consider sending out an organisation-wide alert to raise awareness of the dangers associated with opening attachments on unusual emails. Consider implementing an education program to improve staff awareness of cyber security, or how to spot suspicious emails. For more details on how to implement a successful staff awareness program, see Improving Staff Awareness.

Incident reporting

If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).

Indicators of Compromise (IoCs)

For indicators of compromise, please refer to the CSV file attached below:

Traffic light protocol

The following table lists the classification levels used in the traffic light protocol (TLP) and describes the restrictions on access and use for each classification level.

TLP classification Restrictions on access and use
RED Access to and use by your ACSC security contact officers only.


You must ensure that your ACSC security contact officers does not disseminate or discuss the information with any other person, and you shall ensure that you have appropriate systems in place to ensure that the information cannot be accessed or used by any person other than your ACSC security contact officers.

AMBER Restricted internal access and use only.


Subject to the below, you shall only make AMBER publications available to your employees on a ‘need to know basis’ strictly for your internal processes only to assist in the protection of your ICT systems.

In some instances you may be provided with AMBER publications which are marked to allow you to also disclose them to your contractors or agents on a need-to-know basis — strictly for your internal purposes only to assist in the protection of your ICT systems.

GREEN Restricted to closed groups and subject to confidentiality.


You may share GREEN publications with external organisations, information exchanges, or individuals in the network security, information assurance or critical network infrastructure community that agree to maintain the confidentiality of the information in the publication. You may not publish or post on the web or otherwise release it in circumstances where confidentiality may not be maintained.

WHITE Not restricted.


WHITE publications are not confidential. They contain information that is for public, unrestricted dissemination, publication, web-posting or broadcast. You may publish the information, subject to copyright and any restrictions or rights noted in the information.

NOT CLASSIFIED Any information received from ACSC that is not classified in accordance with the TLP must be treated as AMBER classified information, unless otherwise agreed in writing ACSC.
February 6th, 2020