Category: Ransomware

Mail2World’s 2022 Email Outage

On Wednesday, 1/12/2022, an email provider named Mail2World disappeared from the internet. They’re a modest company based in California that provides email for millions of people worldwide. They handle the email service for many different ISPs (including Shentel, Buckeye Broadband, and SRT), as well as for individuals and small businesses. Information on this outage was challenging to come by, so I’m going to chronicle what I saw and learned during this event, below.

Day One (January 12)

Around 7AM EST, all email service with Mail2World stopped. For the entire day, no answers were forthcoming. People calling their ISPs got only vague explanations: “Email is completely down, we have no ETR.”

Those that contacted Mail2World directly received an unprofessional response. I had hoped they would issue a press release or a Pinned Post on Facebook. But, ironically commenting on an older Facebook Post about “improving your chances of getting your email read,” Mail2World shared only a few vague tidbits. It was nothing informative (“Please be advised that we’re fully and diligently working on the current email service outage.”) and only aggravated their clients further.

Day Two (January 13)

With email still down, Mail2World told some ISPs to expect a 3PM EST recovery time. But that deadline came and went, and everyone had to face the fact that nothing would be restored this day.

A sharp-eyed Facebook commenter pointed out a breaking news story (alternate link) about a ransomware attack and suggested it might be relvant. I called the ISP mentioned in the story and got confirmation: Mail2World is their email provider, and a ransomware attack had brought down all of Mail2World.

Day Three (January 14)

The outage continued, but repair progress could be detected. Using DNS detection websites, people could see that Mail2World DNS entries were coming back online, across the globe. M2W had been completely absent from the world’s DNS servers for the first two days of this outage!

Repeatedly contacting Mail2World, I could only get the briefest assurance from M2W that no one data was compromised or stolen. And as more news reports about the ransomware attack emerged, that seemed to confirm that user data was safe through this debacle. Other ISPs started to report more details, as well.

After much teeth-grinding, Mail2World posted an non-update on their Facebook Page. Huzzah! And their sales website came back online, more progress!

Day Four (January 15)

Early in the morning, Shentel reported email service may be restored in the next 24 hours. By some estimates, that would be extremely quick and efficient, but not unheard of.

By mid-day, a rare few M2W email accounts were able to send out messages, although they arrived with security warnings and other malformations. Still, it showed further progress!

As Day Four drew to close, a few users reported in about email arriving to their Mail2World accounts. We couldn’t declare a complete recovery yet, but some people were able to send off a few messages, and verify that their old emails were once again available.

Day Five (January 16)

I woke to reports of Shentel (Virginia) email users happy with their restored accounts. Reports from other states (Indiana, South Dakota, Ohio) were varied, but most showed some signs of functionality. Other countries (Sweden, Australia, Mexico) also reported in about recovery, again varied, with some at full email ability, while others still hampered or limited.

This outage was mentioned over at Slashdot, but still hadn’t garnered any national or large-scale news coverage.

For my part, I recommended to anyone with fully-restored ISP email, to call into to their internet providers for a refund or credit. Since Mail2World would surely pay a penalty to their ISP clients for the outage, I reasoned that that money should be passed along to the ISP customers themselves. And my experience with many ISPs is that: If you don’t ask, you don’t get!

Day Six (January 17)

Today I found that most people worldwide have their basic M2W email service back. But there are some outliers that are still waiting, in Sweden or Mexico. These folks tend to be individuals that have enrolled in free email service directly with Mail2World. I can only guess that they are low-priority, and may have a much longer repair time than the blocks of email addresses repaired for the large ISP customers.

If you’re still waiting for an M2W repair, I can only tell you to hang in there, keep waiting and reach out to Mail2World repeatedly as time goes on. You can call them at +1 (310) 209-0060, visit their website, check them on Facebook, or find their Twitter feed. Good luck!

Epilogue (March 9)

Most everyone I know has moved on from this issue. But I am still disappointed. There are many questions left unanswered: What ransomware or criminal group caused this? Was the attack successful because of employee error or a zero-day exploit? Was the ransom paid or not?

For my part, I’ve pinged M2W for 2 months, through FB/Twitter/email/LinkedIn, asking for more info. And today, I got a phone call from one of their agents. He explained that the matter has been investigated, mitigated, resolved and put to bed. All informative reports have been finished and submitted… to the ISPs and involved companies.

He didn’t have any press releases or documentation for me. Or for the masses of email users out there. All of the “post-mortem” reports have been sent to Shentel, Buckeye Broadband and similar companies. And those big ISPs might not share that info with us little people, because, well… lawyers.

But this kind gentleman who called me reiterated: The ransomware attack did not expose anyone’s email info. He briefly mentioned that a 3rd-party vendor made a mistake and left a port open somewhere, and bad actors capitalized on the vulnerability. Now that all the forensics and investigation is through, M2W has improved their security and procedures to prevent this from happening again.

Email Safety Tips

Right now, government agencies are warning about a significant ransomware attack being directed at US Hospitals. And I hear that the ADA is reaching out to dental offices, telling them to be alert and to make sure their data is backed up. As the current threat expands, any healthcare-related office needs to be on guard, as do you. Ransomware or viruses usually ignore geographic and other man-made boundaries. The next computer hazard could arrive in your inbox at any time.

But please don’t get too anxious, because your antivirus and other software security is going to help keep the threat at bay. What you should consider is: The bad guys know you’re already well-protected, so they will use mind games to get you to defeat your own security. Here are some basic tips to keep you safe and help you not get tricked into a computer infection:

  • Don’t open attachments or click links that you weren’t expecting, or are from unknown people. Especially keep this in mind for when you receive a scary or alarming email! Ransomware is often contained in messages that claim you have an overdue account or large bill attached. By sending you unpleasant news, they hope to distract you and compromise your judgment for just long enough for you to open that viral attachment.
  • If your gut is telling you something, LISTEN TO IT. Did you just get a message from your CEO that seemed a little off? Is your friend emailing you for something that isn’t in character? Don’t second-guess yourself, don’t struggle to get in their head. Step away from the computer and pick up the phone. Get confirmation through other means before you trust that email on your screen.
  • Believe in your antivirus and other protections. Don’t be tricked into disabling any protections. I just received an Excel attachment and Microsoft Office opened it in “Protected View”, since it was obviously from somewhere foreign. But the file itself directed me to disable that Protected View feature and try again. If I had followed those steps, I would have infected my computer.
  • Badly grammar and mispellings used to be the hallmark of malicious emails, but not anymore. But there are other clues you can look out for. If you can spot the sender’s email address, be critical of the spelling and exact domain name. If you see an obvious mismatch between the email address and sender name, then trash that email immediately. Examples: Fred Rogers, Microsoft Support with the address of totalvirusdefense@microsofttechgods.ru or Beatrice Snodgrass from Amazon Refund Agency with the address beatsnod@yahoo.au .
  • Don’t reply to emails that seem suspicious. Don’t call any phone number listed in an email that urgently calls you to action. You must not trust the contact info presented in the email! When verifying any email, use contact information from some source other than the email itself. For example, if you get a weird message from your boss, Forward the message to his email address from your address book, and maybe Cc: his boss. Or if you get an alert from your bank, grab your last paper statement or bank card, and call the phone number printed there.

Be safe out there, folks!

© 2022 BlueScreen Computer

Theme by Anders NorenUp ↑