Hackers Sending Fake Windows 10 Upgrade Ransomware Email, Encrypts Every File

It has not been a week, yet hackers have begun to exploit existing Windows users’ computer by sending them a ransomware, via spoofed email, which instantly encrypts each and every file that exists on the computer.

The zipped attachment found in the email, which seems like Windows 10 sent by Microsoft, is not the operating system file but a ransomware.

Hacker Targets Pedophiles with TOX Ransomware

Windows 10 was officially unveiled to public on July 29th as a free of charge upgrade for every Windows 7 and Windows 8 users. And till date, more than 14 million systems have been successfully upgraded to the latest release of Windows, but still millions are waiting to receive an official update notification from Microsoft.

There is an app released by Microsoft called Get Windows 10 which notifies the user if they got a green signal to upgrade their computer. Till then, the app shows a simple message that reads “Watch for your notification so that you can start your upgrade. Your notification to upgrade could come as soon as a few days or weeks.”

Researchers over at Cisco has warned all the impatient Windows users to not to fall for a Windows 10 upgrade scam, and the fact that users must have to wait for the upgrade to be available makes them even more vulnerable to this scam.

Hackers have seen this simple notification message as an opportunity to exploit users who are impatient to upgrade their existing Windows to the latest release. Exploiters are sending out spoofed email about Windows 10 upgrade along with a zipped attachment that once executed will automatically install a ransomware on the targeted computer system, eventually encrypting all the files, pictures, documents, and other important data that exists on the hard drive.

Scrutinizing the Ransomware Email

The team of researchers has scrutinized the spoofed email and they noted down four key indicators in the message, which every user must need to watch out for.

Email sent by hackers | Image Source: Cisco

To begin with, you have to watch for the from email address. The hackers have skilfully spoofed the sender’s email address to make it look like it is sent by Microsoft i.e. <[email protected]>. This is what makes the targeted receiver to further read the email. Yet a closer look at the header section of the email reveals a fact that the email is originated from the Internet Protocol (IP) address allocated to Thailand.

Image Source: Cisco

Secondly, to further spoof the email and convince the receiver to believe that it is sent by Microsoft, the hackers have tried their best to make use of similar color scheme being used by Microsoft.

Thirdly, the most easily notable indicator. The researchers have found a couple of red flags linked with the email message. There are many characters that don’t parse correctly. This happened because the hackers were using a non-standard character set while producing the email. You can see those red flags in the image attached below.

Image Source: Cisco

Fourthly, to increase the authenticity of email, the hackers have incorporated a disclaimer message that looks exactly like the one used by Microsoft i.e. “This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.” Furthermore, to trick the targeted users into believing that the attachment is not malware, the closing message also linked to MailScanner, which is an authentic open source email filtration website.

Working of Ransomware

Just like us, you must be wondering that what would happen to the targeted user who believed what this email said, downloaded the attached zip file, extracted and then executed it.

The victim will be welcomed with a message which will be similar to the following image:

Image Source: Cisco
Ransomware attack forces animal porn collector to plead guilty to police

The program being used by the hackers is CTB-Locker which is a variant of ransomware. Researchers have also found out that these ransomware are being sent out to the targeted users at a significantly high rate.

The functionality of this ransomware is quite standard and make use of an irregular encryption method which let the hackers to encrypt each and every file of the victim’s computer without storing the decryption key onto the infected computer.

To further secure their identity and to remain anonymous while being at the minimal risk level, hackers are making use of openly available services like Tor and Bitcoin. This way they are able to quickly generate revenue from this ransomware campaign.

If the victim wants to unlock their files, pictures and other important documents, they must have to pay the ransom to receive a decryption code. And to our surprise, they are only give 96 hours to pay the ransom amount.

Though-Provoking Features of CTB-Locker Ransomware

Researchers also noted down some thought-provoking features of CTB-Locker which seems to be a lot different as compared to the other ransomware variants.

Firstly, the type of encryption. CTB-Locker uses elliptical curve encryption which utilizes a smaller key space but provides the same security level and key encryption, whereas most of the ransomware uses RSA encryption methods.

Secondly, decryption time frame. CTB-Locker offers the targeted victim with just 96 hours of time frame to pay for the decryption key, which is a lot shorter than the standard ransomware.

Thirdly, the Command and Control communication, also known as C2. CTB-Locker uses a hard-coded IP address to establish the connection. These IP addresses are located on a non-standard ports. On the other hand, the typical ransomware uses compromised WordPress websites as a drop point for the information.

Fourthly, increased the amount of data exchange between systems. Researchers analyzed the network traffic and found out that data was being streamed to approximately 100 different IP addresses. While the common ports being utilized by the network for communication were 1443, 9001, 666 and 443. The majority of ports being utilized by the network are associated with Tor traffic.

Demo Video of Ransomware

The researchers have also uploaded a video demo to show the working of this ransomware and how quickly it attacks the victim’s computer. You can see that video below:

Since its release Windows10 is in the news for all the wrong reasons. First, spying on users and then using their Internet bandwidth to send updates to other users with their knowledge or permission.

Good luck Windows 10 users.

Report typos and corrections to [email protected]


Related Posts