The Australian Cyber Security Centre (ACSC) has released an advisory on Mailto ransomware incidents along with recommended actions that may be useful for managed security service providers (MSSPs) worldwide.
The ACSC said that it believes that Mailto actors may have used phishing and password spray attacks to hit user accounts but acknowledges that its information is limited on the initial intrusion vector for Mailto, which is also known as Kazakavkovkiz. It’s not clear if these incidents indicate a broader campaign and it’s not yet known how the malware is spread laterally across a network. It is possible that Mailto spreads via emails containing malicious attachments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging users, administrators, managed service providers (MSPs) and MSSPs to review the ACSC advisory on Mailto ransomware incidents.
Australia Government: How to Defend Against Ransomware
To combat the threat of Mailto and other ransomware, the government agency says organizations should:
- Update antivirus and other security tools to detect and prevent the spread of the Mailto ransomware.
- Maintain a regular patch process to restrict the availability of exploits that ransomware can use to move laterally within a network, limiting the number of hosts impacted by a successful infection.
- Maintain isolated offline backups of the network to allow recovery in the event of the widespread deployment of ransomware.
- Email content filters and dynamic email analysis sand-boxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise.
- Partition networks into smaller sections in order to separate and segregate communications between specific hosts and services.
- Create a response plan to allow your organization to respond in the event of a ransomware infection.
- Affected machines/networks should be immediately quarantined and disconnected from the internet.
- Consider sending out an organization-wide alert to raise awareness of the dangers associated with opening attachments on unusual emails.
- Consider implementing an education program to improve staff awareness of cyber security and how to spot suspicious emails.
MSPs Face Ransomware Attacks
Meanwhile, the FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about ransomware attacks.
To mitigate such threats, NIST (the National Institute of Standards and Technology) is seeking comments on a new ransomware detection and response guide.
Moreover, MSSP Alert and ChannelE2E have recommended that readers take these steps to further protect systems from ransomware:
- Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
- Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
- Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
- Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
- Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA Conference, Black Hat and Amazon AWS re:Inforce.
Additional insights from Joe Panettieri.