February 10, 2020 By David Bisson 3 min read

Last week in security news, security researchers spotted the Mailto ransomware targeting enterprise networks and encrypting their connected Windows devices. Speaking of ransomware, the EKANS family attracted the security community’s attention for its ability to stop ICS-related processes. Additionally, a security researcher found a vulnerability in the WhatsApp desktop app that could have allowed malicious actors to remotely access files on a local computer.

Top Story of the Week: Mailto Ransomware Sets Its Sights on Enterprise Networks

In August 2019, ID Ransomware spotted a new ransomware family appending the “Mailto” extension to the files that it had successfully encrypted. Fast forward to February 2020, when an Australian transportation and logistics company revealed that the same ransomware had encrypted its network. This security incident was the first public indication that Mailto (or Netwalker) ransomware had begun going after enterprise networks.

Bleeping Computer analyzed a recent Mailto sample and found that its executable attempted to impersonate the “Sticky Password” software. This analysis also revealed that the sample had arrived with a configuration that was more sophisticated and granular than those employed by other ransomware families.

Source: iStock

Also in Security News

  • Diabetic Patients Targeted by Android Malware: FortiGuard Labs spotted a new form of Android malware called “Android/FakePlayer.X!tr” back in September 2019. The malware masqueraded as an Android app that provided users with information about diabetes, but in actuality, it leveraged a Trojan dialer to send SMS messages to users presumably in an effort to steal funds from its victims.
  • Financial Institutions Caught in Metamorfo’s Crosshairs: Researchers at FortiGuard Labs spotted two different variants of Metamorfo, a malware family known for targeting online customers of financial institutions. The first targeted only the customers of Brazilian financial organizations, while the second targeted customers of institutions located in multiple countries.
  • Flaw in WhatsApp Desktop App Allowed Attackers to Access Local Files: Security researcher Gal Weizman of PerimeterX uncovered a vulnerability (CVE-2019-18426) that enabled a malicious actor to perform cross-site scripting attacks and read local files. The flaw, which affected WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10, required users to click on a link preview from a specially crafted text message.
  • Phishing Campaign Delivered Versatile Anubis Malware to Android Users: Cofense spotted a phishing campaign that preyed on Android devices that permitted the installation of unsigned Android applications. The campaign ultimately delivered Anubis, a banking Trojan that is also capable of hijacking infected devices, encrypting a victim’s files and holding that data for ransom.
  • ICS-Related Process Appeared on EKANS Ransomware’s Kill List: Researchers at Dragos spotted a sample of EKANS ransomware using a hardcoded “kill” list to terminate several processes associated with organizations’ industrial control systems (ICS). If executed on the right type of system, such functionality could disrupt the view condition of the network.
  • Malicious Android Apps Used for Downloading Malware, Performing Ad Fraud: Researchers at Trend Micro discovered several malicious optimizer, booster and utility apps that could perform ad fraud and download as many as 3,000 malware variants and payloads onto an infected Android device. At the time of writing, the apps were no longer available on the Google Play store.
  • Phishing Campaign Targeting Financial Services Organizations Delivered MINEBRIDGE: In January 2020, FireEye began tracking a phishing campaign targeting financial services organizations primarily located in the U.S. That campaign used carefully crafted phishing documents to download and deploy the MINEBRIDGE backdoor.

Security Tip of the Week: Minimize the Damage of a Ransomware Infection

Security personnel can help their organizations minimize the impact of a ransomware infection by implementing a data backup strategy and regularly testing those backups. They should perform these backups as part of a layered defense strategy that includes anti-virus solutions and security awareness training.

More from

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today