The Win32/Crowti ransomware is on the upswing of late, the result of a series of fresh malware campaigns being distributed through spam emails and exploit kits.
Crowti is similar to CryptoLocker in that it uses keys to encrypt the files on a PC, and then asks for payment to unlock them. Crowti usually brands itself with the name CryptoDefense or CryptoWall, and once triggered, victims are given message directing them to a Tor webpage asking for payment using Bitcoin.
In the latest rash of attacks, computers in the United States have been most affected with 71% of total infections, followed by Canada, France and Australia.
“Crowti impacts both enterprise and home users; however, this type of threat can be particularly damaging in enterprise environments,” Microsoft said in an advisory on the Microsoft Malware Protection Center (MMPC) site.
Crowti is mainly being distributed via spam campaigns. But, it’s also being distributed via exploit kits such as Nuclear, RIG, and RedKit V2, that take advantage of unpatched Java and Flash vulnerabilities. Microsoft has also seen Win32/Crowti being installed by other malware, such as Upatre, Zbot and Zemot.
The spam mails come with email attachments, usually a ZIP archive, that launch the malware when opened. “Attackers will usually try to imitate regular business transaction emails such as fax, voicemails or receipts,” Microsoft said. “If you receive an email that you’re not expecting, it’s best to ignore it.”
Crowti is also using digitally signed malware.
“On September 29, 2014 we saw a Crowti sample distributed with a valid digital certificate—since revoked,” Microsoft said. “Crowti has used digital certificates to bypass detection systems before — we have previously seen it using a certificate issued to The Nielsen Company.”
Of course, the best course of action is to avoid being infected in the first place. “There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines,” Microsoft said. “As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date.”