Adversaries are taking advantage of the new Windows 10 Update announcement to lure users into executing their malicious payload. Unfortunately, when a user that falls victim to this campaign the ransomware CBT-Locker is installed and encrypts the victim’s data. The spammer then holds the data hostage and demands payment to decrypt it.
In the campaign seen by the Cisco Talos team, the spammers use an email claiming to be from Microsoft with the free update attached. The message was tailored to look legitimate and could easily deceive the untrained eye. The technique works as follows:
First, the From line address is spoofed to appear to be from Microsoft. Second, the Subject offers a Windows 10 Free Update.
Third, the spammers use the Microsoft color-scheme in the body of the message.
Fourth, a message that states the attachment has been checked for viruses is added to the end. This is a commonly used technique to convince victims that the attachment must be safe.
If a user falls victim to this campaign, they will be fully aware of it. When the malicious attachment is opened and executed, the data will be encrypted and the “ransom note” will appear. At the bottom of the message is a clock counting down. With CTB-Locker, this is typically 96 hours. If the demands aren’t met by the time the clock hits 00:00:00, the data will be lost permanently.
To prevent yourself from falling victim to a ransomware attack like this, Maverick recommends that clients avoid all emails that claim to be providing free software or other kinds of updates via an attachment or link. Vendors like Microsoft do not send emails telling you they are offering you a free upgrade. This campaign represents exactly why vendors do not use email to offer updates. You should always use the vendor-provided update repository. In the case of Microsoft updates, use the Microsoft Download Center: https://www.microsoft.com/en-us/download/default.aspx. For the Window 10 update, go to http://www.microsoft.com/EN-US/windows/windows-10-upgrade. Never trust email offers, no matter how legitimate they appear. Use the approved vendor sites only.
Also, be sure to back up your data regularly – and do so on a separate platform. That way, if you do fall victim to a ransomware attack you have your data backed up and can restore from it. If your data is safe off of your main PC or laptop then it has much less chance of being affected and can be restored more easily.
As always, if you have questions or require further assistance, contact your Maverick personal cyber-security concierge. 855-648-7925.