Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Fake Windows 10 Upgrade Emails Hide Ransomware

Cybercriminals are leveraging the launch of Microsoft’s Windows 10 operating system to trick users into installing a piece of ransomware on their systems.

Cybercriminals are leveraging the launch of Microsoft’s Windows 10 operating system to trick users into installing a piece of ransomware on their systems.

Since Microsoft announced last week that Windows 10 has become available in 190 countries as a free upgrade, the new operating system has been installed on tens of millions of computers. As with all major announcements, cybercriminals are leveraging news of the free upgrade for their own benefit.

Researchers at Cisco have spotted a spam campaign designed to distribute a piece of ransomware by promising recipients a free Windows 10 upgrade.

The fake emails carry the subject line “Windows 10 Free Update” and they appear to come from “[email protected]” The notifications might appear genuine to some regular users since they also contain a legitimate-looking disclaimer and a note that the message has been scanned for viruses and dangerous content.

However, a closer look reveals that the sender actually spoofed the originating email address, and the text of the emails contains several characters that haven’t been parsed properly.

The file attached to the bogus notifications,, is not a Windows 10 installer, but a variant of the CTB-Locker (Critroni) ransomware. Once it’s unzipped and executed, the malware encrypts the victim’s files and holds them for ransom.

Victims are given 96 hours to pay a certain amount of money in Bitcoin over the Tor network if they want to recover their files.

“Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware,” Cisco said in a blog post. “The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk.”

CTB-Locker attracted the attention of researchers last year due to its unusual cryptographic scheme, and because it was the first file-encrypting ransomware to use Tor.

Microsoft says Windows 10 introduces some advancements in security, including features for identity, information and device protection. Furthermore, Microsoft Edge, the successor of the Internet Explorer web browser, also brings significant improvements in security.

Researchers at Trend Micro analyzed Edge last week and determined that while the new browser is more secure, it also introduces new potential attack vectors.

“Microsoft Edge represents a clear improvement compared to Internet Explorer 11. Specifically, the improved sandbox and exploit mitigation techniques make exploiting Edge more difficult than its predecessor. In addition, the dropping of unused legacy features reduces the possible attack vectors into the browser,” explained Trend Micro researchers.

“Overall, we believe that Edge has reached a security parity with the Google Chrome browser, with both markedly superior to Mozilla Firefox. However, multiple attack surfaces still remain which can be used by an attacker. Given the sophistication and demands on modern browsers, this may well be inevitable,” they noted.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.