Opportunistic spammers are duping would-be Windows 10 users into downloading the CTB-Locker ransomware.
The malicious campaign was discovered by the Cisco Security team and mimics the emails being sent by Microsoft to tell users that their Windows 10 upgrade is ready to install. Once the executable is unzipped and run, it encrypts all of the files on the user's device.
“Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload,” wrote Talos, Cisco’s security research group. “These campaigns are usually focussed [sic] around social events and are seen on a constant basis. Today, Talos discovered a spam campaign that was taking advantage of a different type of current event.”
The emails appear to the user to be coming from a valid Microsoft address (firstname.lastname@example.org) but the security team says that the IP in fact originates from Thailand.
While the email isn't a perfect replica of an official communication, it's much closer than many of the other malicious campaigns out there. The colour scheme is similar to that of Microsoft's official emails, as is the language, albeit, with a few parsing errors.
Talos says that CBT-Locker has some unique features that differ from large-scale variants currently making the rounds.
“Most variants use RSA asymmetric encryption,” the security team wrote. “CTB-Locker actually makes use of elliptical curve encryption which still provides the same public/private key encryption but it’s a different type of algorithm, with lower overhead and the same level of security utilizing smaller key space.”
“Second, there is the issue of the time window. CTB-Locker is only giving users 96 hours to pay for decryption, which is a shorter window than is standard for most ransomware.”
The security professionals said that the ransomware seemed to be transferring an unusual amount of data back and forth.
“There is also a significant amount of data being exchanged between systems, which is largely uncharacteristic for ransomware. An analysis of network traffic reveals that there were ~100 network streams to various IP addresses,” Talos said.
The computer kidnappers are demanding payment via bitcoin and are utilizing the Tor network to avoid detection.
Cisco has posted a video of the ransomware in action.
Stu Sjouwerman of KnowBe4 said that businesses should act quickly to ensure that employees do not fall foul of this, and other, social engineering scams. Sjouwerman suggests giving users a direct link to Microsoft’s upgrade page and asking them to refrain from downloading any files in emails.
Microsoft said that Windows 10 was downloaded 14 million times within the first 24 hours and there are many more waiting in the wings, as the Redmond firm continues its phased roll out.
“We’re humbled and grateful to see the response to Windows 10,” Microsoft said on its blog. “We have seen unprecedented demand for Windows 10, with reviews and customer feedback overwhelmingly positive around the globe. We are doing everything we can to upgrade the world to Windows 10 as quickly as possible over the coming days and weeks ahead.”