With a proper system in place to monitor privileged user access, there will not be any need to negotiate with cybercriminals.

Recently, logistics firm Toll Group was hit with a “new variant” of ransomware known as Mailto or Kokoklock and had been forced to shut down much of its IT infrastructure to prevent the malware from spreading.

The ransomware, which has been variously dubbed NetWalker or Kazkavkovkiz, is believed to have infected as many as 1,000 servers, including Active Directory.

Mailto appends random extensions to file names, making them unusable. It first appeared in around September 2019. It is very similar to the many variants of targeted ransomware that sophisticated cybercriminals have launched against companies that rely on technology to deliver time-sensitive, critical services or products.

By targeting industries that cannot function well with any downtime—most prominently healthcare, state and local government, industrial control systems, and now shipping—these criminals maximise the chance the victim might pay the ransom to recover their services.  

This is what Corey Nachreiner, WatchGuard Technologies CTO feels: “In many of these cases, the ransomware itself is effective, but not particularly unusual compared to other ransomware variants. Proactive, advanced malware prevention solutions that use machine learning or behavioral analysis to catch new threats often detect and block these samples if delivered through a security service.”

However, the sophisticated threat actors launching many of these targeted attacks seem to be breaching networks using presumably stolen, privileged user credentials before loading any ransomware. In that case, they often use this privileged access, and thereby access legitimate internal management tools, to disable and bypass security controls before installing the ransomware.

“The general public still doesn’t know exactly how Toll’s attackers got the ransomware into their system, but if it’s similar to other targeted attacks we’ve seen globally, authentication best practices and multi-factor authentication are the best ways to protect your organization (and any remote services you use) from these sorts of targeted ransomware attacks,” added Nachreiner.