Security Experts:

Fake Windows 10 Upgrade Emails Hide Ransomware

Cybercriminals are leveraging the launch of Microsoft’s Windows 10 operating system to trick users into installing a piece of ransomware on their systems.

Since Microsoft announced last week that Windows 10 has become available in 190 countries as a free upgrade, the new operating system has been installed on tens of millions of computers. As with all major announcements, cybercriminals are leveraging news of the free upgrade for their own benefit.

Researchers at Cisco have spotted a spam campaign designed to distribute a piece of ransomware by promising recipients a free Windows 10 upgrade.

The fake emails carry the subject line “Windows 10 Free Update” and they appear to come from “[email protected]” The notifications might appear genuine to some regular users since they also contain a legitimate-looking disclaimer and a note that the message has been scanned for viruses and dangerous content.

However, a closer look reveals that the sender actually spoofed the originating email address, and the text of the emails contains several characters that haven’t been parsed properly.

The file attached to the bogus notifications,, is not a Windows 10 installer, but a variant of the CTB-Locker (Critroni) ransomware. Once it’s unzipped and executed, the malware encrypts the victim’s files and holds them for ransom.

Victims are given 96 hours to pay a certain amount of money in Bitcoin over the Tor network if they want to recover their files.

“Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware,” Cisco said in a blog post. “The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk.”

CTB-Locker attracted the attention of researchers last year due to its unusual cryptographic scheme, and because it was the first file-encrypting ransomware to use Tor.

Microsoft says Windows 10 introduces some advancements in security, including features for identity, information and device protection. Furthermore, Microsoft Edge, the successor of the Internet Explorer web browser, also brings significant improvements in security.

Researchers at Trend Micro analyzed Edge last week and determined that while the new browser is more secure, it also introduces new potential attack vectors.

“Microsoft Edge represents a clear improvement compared to Internet Explorer 11. Specifically, the improved sandbox and exploit mitigation techniques make exploiting Edge more difficult than its predecessor. In addition, the dropping of unused legacy features reduces the possible attack vectors into the browser,” explained Trend Micro researchers.

“Overall, we believe that Edge has reached a security parity with the Google Chrome browser, with both markedly superior to Mozilla Firefox. However, multiple attack surfaces still remain which can be used by an attacker. Given the sophistication and demands on modern browsers, this may well be inevitable,” they noted.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.