The Mailto ransomware has a new technique for process injection. In their article on the topic, researchers discuss the ransomware at a high level along with this new technique. Like many malware payloads, this sample uses process code injection to hide their malicious code within a legitimate Windows process. However, most malware performs process hollowing by creating the target process in suspended mode. The Mailto ransomware, instead, creates the process in Debug mode. Then debug APIs are used to perform the steps necessary to have the legitimate process execute the malicious code. From that point, the ransomware deletes volume shadow copies, establishes persistence via Registry Run key, and performs encryption. Configuration of the encryption process and ransom note is found encrypted within the .rsrc section of the payload in JSON format. Encryption is performed using the SALSA20 algorithm and the extension appended to encrypted files includes the string “mailto,” an email address, and custom ID. The ransom note provides email addresses to which the victim can reach out in order to receive payment instructions for the decryption key.