"Windows 10 Upgrade" - Email Scam (ransomware)

[Jim K Global Moderator]

Another day...another ransomware scam.  These, in my opinion, are the worst (because they have the gall to demand money from their victims).  

All the hallmarks are there that it is a email scam but we know that not everyone knows what to look out for.  Almost wish Microsoft could come out with something to prevent these types of ransomwares.  

 

Your Files Are Encrypted with a “Windows 10 Upgrade”

Talos Group | July 31, 2015 at 11:01 am PST

 

 

Update 8/1: To see a video of this threat in action click here

Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a spam campaign that was taking advantage of a different type of current event.

Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign.

Email Message

The email message above is a sample of the type of messages that users are being presented with. There are a couple of key indicators in the message worth calling out. First, the from address, the adversaries are spoofing the email to look like it is coming directly from Microsoft (update<at>microsoft.com). This is a simple step that tries to get users to read further.

However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand.

Second, the attackers are using a similar color scheme to the one used by Microsoft.

Third, there are a couple of red flags associated with the text of the email. As you can see below, there are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email.

Payload

Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message similar to the following:

The payload is CTB-Locker, a ransomware variant. Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk.

More @ Cisco 

[gameboy1977]

windows-10-2

The Windows 10 rollout has been relatively smooth, but there are plenty of users who never received the Get Windows 10 app and are still waiting in line for their turn to update. Unfortunately, scammers have seen how desperate Windows users are for the update, which is why it should come as no surprise that a phishing campaign has been discovered.

READ MORE: What it was like to upgrade from Windows 7 to Windows 10

According to Cisco’s Talos Group, scammers impersonating Microsoft have begun sending out emails informing individuals that they are eligible to upgrade to Windows 10. The email appears to come from an official Microsoft address, update@microsoft.com, adding to its authenticity, but don’t be fooled — Microsoft isn’t going to send you an email with Windows 10 as the attachment.

 

 

There are several blatantly obvious signs in the body of the email as well, most notably characters which don’t parse properly. You can be certain that any official emails from Microsoft will use characters that display correctly on your device of choice.

If you were to ignore all of these signs, download the .zip file, extract the software and run the executable anyway, you would immediately find your computer locked by a ransomware variant called CTB-Locker. Here’s what it looks like:

 

 

“The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise,” says the Talos Group. “As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers.”

See a video of someone installing the ransomware at this link.

  

 Read more:

[Max Norris]

I can't believe that people are still stupid enough to arbitrarily run email attachments, rocking it like it was 1998.  Well then again, all things considered I guess I can. Can make an OS the most secure thing on the planet, but get an idiot at the keyboard, all that goes down the toilet.

[gameboy1977]

Neowin, you may have my permission that you can post about this thread too, because this is a warning. Best way: you go to Windows Update from Microsoft, and it is safe there, everyone.

[gameboy1977]

I already posted that one recently.

[Jim K Global Moderator]

I already posted that one recently.

Correction, I posted this two minutes before yours.  However, it really doesn't matter as long as folks are aware.  

 

[gameboy1977]

Thanks for help me that I can see that picture.

[Barney T. Administrators]

Duplicate topics merged

[Osiris]

Less than 96 hours to make the drop and get these guys their money....damn it where is Liam Neeson when we need him!.

[Jim K Global Moderator]

I can't believe that people are still stupid enough to arbitrarily run email attachments, rocking it like it was 1998.  Well then again, all things considered I guess I can. Can make an OS the most secure thing on the planet, but get an idiot at the keyboard, all that goes down the toilet.

I would agree ... however poor old Grandma who uses the computer mostly to look at pictures of her grandchildren and checks email regularly anticipating more grandchildren pictures may receive this email and think "oh, how lovely...10 is greater than 8...free upgrade!".  Unfortunately, these are the people who will suffer the most from this scam and will ultimately pay to try and get their grandchildren pictures back.   Which is why I put in my original post that I would hope Microsoft could release a security patch which prevents something like this from running (not sure if it is possible).

 

[Max Norris]

Which is why I put in my original post that I would hope Microsoft could release a security patch which prevents something like this from running (not sure if it is possible).

The only way for that to actually be possible is to design the OS to not allow it to install anything, otherwise you can't ever stop it.  It doesn't matter who makes the OS or how secure people like to pretend it is.. if I can trick the person sitting at the keyboard to run my program, I can wreck it, or at the very least their personal data/files and steal info. It's not a flaw in the OS and it's not magically appearing out of thin air, it's that idiot sitting in front of the computer that let it on the system.   Or, I could just slap poor old Grandma on the back of the head, take 10 seconds to explain to her why running that program that the nice guy in the email message said was safe is actually a bad idea, and set her up to never have this be an issue again. This sort of scam is as old as dirt as far as PC's goes.

[FiB3R]

I'm no expert, but if it is so easy to spot a fake email, due to the From address being spoofed, why don't all mail clients detect this, and show you the genuine address instead?

I'm assuming most clients, web based or local, will flag this ###### as spam.

So then, how, in this day and age, is this crap still getting through?

Personally, I would like to kick the living ###### out of every idiot that has ever attempted to buy Viagra, or penis enlargement products, due to a spam email.

Not to mention PPI claimants.

It's you twats that are the problem, making life that little bit worse for the rest of us.

If there was no money to be made from idiots, then the spammers would bugger off to greener pastures.

I recently heard the phrase "We live in the world we deserve". (or something very close to that)

Might have been from the TV series; True Detective.

I think he had a point.

[techbeck]

ransomware....sucks....but highlights how important it is to have backups.

[+Warwagon MVC]

ransomware....sucks....but highlights how important it is to have backups.

Not just backups but Disconnected backups. This ransomware encrypts any storage media mounted on the computer as well as mapped drives with write access.

Very few people have backups and the ones that do usually have them always connected to their PC.

[jnelsoninjax]

I'm curious, if you proceed with the download and execution of the files, is there any way to recover your data short of a reinstall? Does it physically encrypt your data, or does it just say that to scare you into paying?

[+Warwagon MVC]

I'm curious, if you proceed with the download and execution of the files, is there any way to recover your data short of a reinstall? Does it physically encrypt your data, or does it just say that to scare you into paying?

Oh, it's encrypted all right.

[techbeck]

You know, it is funny calling people names for falling for scams like this.   I used to think they were idiots as well but then I thought, I wonder how many times I have been called names for something I didnt understand or made a mistake on.  Especially if I was never told/educated on something.  People will always fall for things like this and is why a lot of us have jobs.  Best we can do is educate and go from there.  Besides, this email looks like it comes from MS.

[techbeck]

I'm curious, if you proceed with the download and execution of the files, is there any way to recover your data short of a reinstall? Does it physically encrypt your data, or does it just say that to scare you into paying?

You data is encrypted.  I have dealt with this first hand with people.  And even if you do pay, does not mean they will give you the means to decrypt your files and get your data back.  There have been reports where people pay the money, but then get nothing in return.  You can reinstall the OS but that will not get your data back.