{
	"id": "c0e2db82-3bbc-4a50-b425-9e261f076ebf",
	"created_at": "2026-04-06T00:09:05.009405Z",
	"updated_at": "2026-04-10T03:21:34.783948Z",
	"deleted_at": null,
	"sha1_hash": "7b51da2f5321db1d6b998b886f48e2c147357c91",
	"title": "Mailto (NetWalker) Ransomware Targets Enterprise Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1282004,
	"plain_text": "Mailto (NetWalker) Ransomware Targets Enterprise Networks\r\nBy Lawrence Abrams\r\nPublished: 2020-02-05 · Archived: 2026-04-02 11:53:19 UTC\r\nWith the high ransom prices and big payouts of enterprise-targeting ransomware, we now have another ransomware known\r\nas Mailto or Netwalker that is compromising enterprise networks and encrypting all of the Windows devices connected to it.\r\nIn August 2019 a new ransomware was spotted in ID Ransomware that was named Mailto based on the extension that was\r\nappended to encrypted files.\r\nIt was not known until today when the Australian Toll Group disclosed that their network was attacked by the Mailto\r\nransomware, that we discovered that this ransomware is targeting the enterprise.\r\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 1 of 8\n\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nIt should be noted that the ransomware has been commonly called the Mailto Ransomware due to the appended extension,\r\nbut analysis of one of its decryptors indicates that it is named Netwalker.  We will discuss this later in the article.\r\nThe Mailto / Netwalker ransomware\r\nIn a recent sample of the Mailto ransomware shared with BleepingComputer by MalwareHunterTeam, the executable\r\nattempts to impersonate the 'Sticky Password' software.\r\nImpersonating Sticky Password\r\nWhen executed, the ransomware uses an embedded config that includes the ransom note template, ransom note file names,\r\nlength of id/extension, whitelisted files, folders, and extensions, and various other configuration options.\r\nAccording to Head of SentinelLabs Vitali Kremez who also analyzed the ransomware, the configuration is quite\r\nsophisticated and detailed compared to other ransomware infections.\r\n\"The ransomware and its group have one of the more granular and more sophisticated configurations observed,\" Kremez\r\ntold BleepingComputer.\r\nThe configuration that was embedded in the analyzed sample can be found here.\r\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 3 of 8\n\nRansomware config\r\nWhile almost all current ransomware infections utilize a whitelist of folders, files, and extensions that will be skipped,\r\nMailto utilizes a much longer list of whitelisted folders and files than we normally see.\r\nFor example, below is the list of folders that will be skipped from being encrypted.\r\n*system volume information\r\n*windows.old\r\n*:\\users\\*\\*temp\r\n*msocache\r\n*:\\winnt\r\n*$windows.~ws\r\n*perflogs\r\n*boot\r\n*:\\windows\r\n*:\\program file*\r\n\\vmware\r\n\\\\*\\users\\*\\*temp\r\n\\\\*\\winnt nt\r\n\\\\*\\windows\r\n*\\program file*\\vmwaree\r\n*appdata*microsoft\r\n*appdata*packages\r\n*microsoft\\provisioning\r\n*dvd maker\r\n*Internet Explorer\r\n*Mozilla\r\n*Old Firefox data\r\n*\\program file*\\windows media*\r\n*\\program file*\\windows portable*\r\n*windows defender\r\n*\\program file*\\windows nt\r\n*\\program file*\\windows photo*\r\n*\\program file*\\windows side*\r\n*\\program file*\\windowspowershell\r\n*\\program file*\\cuas*\r\n*\\program file*\\microsoft games\r\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 4 of 8\n\n*\\program file*\\common files\\system em\r\n*\\program file*\\common files\\*shared\r\n*\\program file*\\common files\\reference ass*\r\n*\\windows\\cache*\r\n*temporary internet*\r\n*media player\r\n*:\\users\\*\\appdata\\*\\microsoft\r\n\\\\*\\users\\*\\appdata\\*\\microsoft\r\nWhen encrypting files, the Mailto ransomware will append an extension using the format .mailto[{mail1}].{id}. For\r\nexample, a file named 1.doc will be encrypted and renamed to 1.doc.mailto[sevenoneone@cock.li].77d8b as seen below.\r\nEncrypted Files\r\nThe ransomware will also create ransom notes named using the file name format of {ID}-Readme.txt. For example, in our\r\ntest run the ransom note was named 77D8B-Readme.txt.\r\nThis ransom note will contain information on what happened to the computer and two email addresses that can be used to\r\nget the payment amount and instructions.\r\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 5 of 8\n\nMailto / Netwalker Ransom Note\r\nThis ransomware is still being analyzed and it is not known if there are any weaknesses in the encryption algorithm that can\r\nbe used to decrypt files for free. If anything is discovered, we will be sure to let everyone know.\r\nFor now, those who are infected can discuss this ransomware and receive support in our dedicated Mailto / Netwalker\r\nRansomware Support \u0026 Help Topic.\r\nIs it named Mailto or Netwalker?\r\nWhen new ransomware infections are found, the discoverer or researchers will typically look for some indication as to the\r\nname given to it by the ransomware developer.\r\nWhen a ransomware does not provide any clues as to its name, in many cases the ransomware will be named after the\r\nextension appended to encrypted files.\r\nAs the Mailto ransomware did not have any underlying hints as to its real name, at the time of discovery it was just called\r\nMailto based on the extension.\r\nSoon after, Coveware discovered a decryptor for the ransomware that indicated that the developer's name for the infection is\r\n'Netwalker'.\r\nNetwalker Decrypter\r\nIn situations like this, it is difficult to decide what name we should continue to call the ransomware.\r\nOn one hand, we clearly know its name is Netwalker, but on the other hand, the victims know it as Mailto and most of the\r\nhelpful information out there utilizes that name.\r\nTo make it easier for victims, we decided to continue to refer to this ransomware as Mailto, but the names can be used\r\ninterchangeably\r\nIOCs\r\nHashes:\r\n416556c9f085ae56e13f32d7c8c99f03efc6974b2897070f46ef5f9736443e8e\r\nAssociated files:\r\n{ID}-Readme.txt\r\nMailto email addresses:\r\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 6 of 8\n\nsevenoneone@cock.li\r\nkavariusing@tutanota.com\r\nRansom note text:\r\nHi!\r\nYour files are encrypted.\r\nAll encrypted files for this computer has extension: .{id}\r\n--\r\nIf for some reason you read this text before the encryption ended,\r\nthis can be understood by the fact that the computer slows down,\r\nand your heart rate has increased due to the ability to turn it off,\r\nthen we recommend that you move away from the computer and accept that you have been compromised,\r\nrebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help\r\nit could be files on the network belonging to other users, sure you want to take that responsibility?\r\n--\r\nOur encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without o\r\nThe only way to get your files back is to cooperate with us and get the decrypter program.\r\nDo not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recove\r\nWe advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned.\r\nFor us this is just business and to prove to you our seriousness, we will decrypt you some files for free,\r\nbut we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.\r\nСontact us:\r\n1.{mail1}\r\n2.{mail2}\r\nDon't forget to include your code in the email:\r\n{code}\r\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nhttps://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/"
	],
	"report_names": [
		"mailto-netwalker-ransomware-targets-enterprise-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434145,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b51da2f5321db1d6b998b886f48e2c147357c91.pdf",
		"text": "https://archive.orkl.eu/7b51da2f5321db1d6b998b886f48e2c147357c91.txt",
		"img": "https://archive.orkl.eu/7b51da2f5321db1d6b998b886f48e2c147357c91.jpg"
	}
}