What you need to know about “Windows 10 Upgrade” Cryptolocker
Adam Robinson is a Security Engineer with Loop Technology who specialises in the deployment and management of Intel Security based solutions. He is also Loop’s Entrust SSL Certificate expert and he has a keen interest in analysing and unpacking malware. If you have a question for Adam, please email firstname.lastname@example.org.
Malicious attackers are always trying to take advantage of current events to lure users into executing their malware. These campaigns are usually focused around current events in order to promote higher click through and are often seen on a repetitious basis; ATO refund scams in July, Christmas bonus scams in December, Australia Post package scams...all the time.
Recently, the Talos Security Intelligence and Research Group (Talos) discovered a spam campaign that was taking advantage of a different type of current event that everyone is talking about and searching for.
Microsoft released Windows 10 last week (July 29th worldwide) and it was made available as a free upgrade to users who are currently using Windows 7 or Windows 8.
In this case, the malicious attack is pretending to be Microsoft, in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update by default, makes them even more likely to fall victim to this campaign as they search for answers about their soon-to-be operating system.
The email message spoofs the email to look like it is coming directly from Microsoft (email@example.com). This is a simple step that tries to get users to read further.
One of the best things about this particular scam is the note at the bottom of the email. Potentially a sign of scammers getting smarter, the email claims that it has been scanned by MailScanner:
The malware itself reaches into Tor for command & control, so it isn't known where it originates from.
The threat of ransomware is an ever increasing trend and I predict it will continue to grow until another more effective method of exploiting endpoints for monetary gain is discovered.
As a defense against these types of attacks, users are encouraged to backup their data to an external device which is kept disconnected from the endpoint to prevent them from being targeted.
Have you ever wondered how these scammers can write complex code and develop command and control based networks, yet basic grammar poses a challenge? In 2012 there was an article by Cormac Herley entitled "Why do Nigerian Scammers Say They are from Nigeria?". In this article, Cormac says of these typos, "By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select." A fascinating read for anyone interested.
If you are concerned about Cryptolocker and would like to talk about options to address this challenge feel free to contact us.
As always, stay safe out there.