Cisco Talos Warns Against Windows 10 Ransomware Spam Campaign

cisco-warns-windows-10-phishing-scam-legitimate-e-mailCisco’s Talos team has posted a blog warning customers waiting for the new Windows 10 to beware of a spam campaign offering to upgrade to Windows 10 for free. The email, titled “Upgrade to Windows 10 for free,” has an attachment containing ransomware.

“The fact that users have to virtually wait in line to receive this update makes them even more likely to fall victim to this campaign,” Cisco’s Talos team noted in the blog.

The spam emails appear to be from Microsoft and include a “from” address of “[email protected]” But the IP address actually links to a machine in Thailand.

Email Appears Legitimate

The email has a color scheme similar to what Windows uses. There is also a disclaimer and a statement saying anti-virus has scanned the email.

Nonetheless, the Cisco Talos team found several mistakes in the message’s text. For one, the characters have not properly parsed.

“This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email,” the blog noted.

Should a user open the zip attachment and runs the corresponding executable, a screen appears announcing: “Your personal files are encrypted by CTB-Locker.”
It continues: “You only have 96 hours to submit payment. If you do not send money within provided tie, all your files will be permanently encrypted and no one will be able to recover them.” Users have to pay in bitcoins.

Also read – CNN: Encryption A Growing Threat to Security

Ransomware Uses Elliptical Curve Encryption

This crypto-ransomware variant uses elliptical curve encryption, which reportedly has lower overheads than other types. Tor hosts much of its infrastructure to enable it to avoid detection.

“The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise,” the blog warned.

“As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers.”

Microsoft released Windows 10 on July 29 and it will be available as a free upgrade to those currently using Windows 7 or Windows 8.

“This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign,” the blog noted.

Images from Shutterstock.



Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.