Security researchers with the San Jose, Calif.-based Cisco have warned users against opening email attachments that claim to be from the tech giant. These attachments, they said, contain malware that encrypts files until a ransom is paid.

Just days after Microsoft released its latest operating system, hackers began targeting soon-to-be Windows 10 users with new ransomware as part of an email spam campaign.

In a blog post, Cisco researcher Nick Biasini said, “This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update makes them even more likely to fall victim to this campaign.”

The emails state that their attachments include an installer that allows users to access the new operating system sooner. Microsoft released Windows 10 on July 29, and it will be available as a free upgrade to current users of Windows 7 or Windows 8.

“This is a typical ransomware scam that takes advantage of the recent release of the new Windows 10 to exploit unsuspecting victims for monetary gain,” Ondrej Krehel, founder/principal of the New York City-based cybersecurity intelligence firm LIFARS, explained. “The scam is highly effective, because so many Windows users want to get the update as soon as possible, making it easy for cybercriminals to trick them.”

Krehel advised users looking to upgrade to Windows 10 to use the Windows icon in the right side of the taskbar to track whether their update is ready, instead of opening emails from Microsoft.

“Under no circumstances should users open any attachments,” he said. “This holds true for any email of unknown origins. “

Once a user downloads and opens the attached executable file, a malware payload opens, encrypting data on the affected computer and locking the owner out. The payload is CTB-Locker, which is a ransomware variant.

“Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware,” Krehel added.

CTB-Locker has some features that differ from those of large scale variants, according to Cisco.

Most variants use RSA asymmetric encryption, but CTB-Locker actually makes use of elliptical curve encryption, which, according to Cisco, still provides the same level of public and private key encryption but uses a different type of algorithm; it also offers lower overhead and the same level of security within a smaller key space. In addition, CTB-Locker only gives users 96 hours to pay for decryption, which is a shorter window in comparison to standard ransomware.

Another key difference relates to command-and-control communication. Recent versions of ransomware leverage compromised WordPress sites to serve as a drop point for information related to the compromised host. CTB-Locker, however, appears to be using hard coded IP addresses on non-standard ports to establish communication. There is also a significant amount of data exchanged between systems, which is largely uncharacteristic for ransomware.

“Major operating system upgrades usually cause confusion among end-users and the current Windows 10 upgrade is no exception,” Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based security awareness training provider Knowbe4, said. “The bad guys exploit these confusions in several ways, mostly through massive phishing campaigns and with criminal call center operations that claim to be Microsoft tech support.”

Sjouwerman added some campaigns will try to worry the user that their PC has changed somehow, causing access issues. Other phishing emails try to lure the user with links to a new, free version of Windows 10, or zip file attachments that are in fact CBT-Locker ransomware.

“Be very careful with any email claiming to be from Microsoft about 'your Windows 10 Upgrade.'” Sjouwerman said.

Increased cybercrime activity recently prompted the Internet Crime Complaint Center to also issue an alert regarding an increasing number of complaints from businesses hit by Distributed Denial of Service extortion campaigns via email.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).