Security experts are warning Windows fans not to fall for a new spam campaign designed to trick users waiting for the new version of the OS to open an attachment crammed with ransomware.
Cisco’s Talos team claimed in a blog post that the spam run was a typical attempt to coat tail a popular event in order to get the attention of as many email recipients as possible.
“The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign,” it argued.
The spammers themselves have taken several steps to make their emails appear to have been sent by Microsoft, including a spoofed “from” address of ‘update@microsoft.com’—even though the IP address is linked to a machine in Thailand.
The color scheme used throughout the unsolicited message is also very similar to that use by the Windows team, and the attackers have added in both a disclaimer and a message claiming the email has been scanned by anti-virus.
However, they failed to spot several mistakes in the text of the message—characters which haven’t parsed properly.
“This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email,” Talos claimed.
If a user is tricked into opening the zip attachment to get their copy of ‘Windows 10’ and runs the corresponding executable, they will find their machine made unusable thanks to CTB-Locker.
This crypto-ransomware variant gives users 96 hours to pay a fee or face all of their computer files being lost forever.
It uses elliptical curve encryption—which is said to have lower overheads than other types—and hosts much of its infrastructure on Tor to avoid detection. Users must make payments in Bitcoins to make tracking even more difficult.
“The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise,” Talos warned. “As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers.”