Hackers use Windows 10 to install ransomware on computers

Crafty ransomware hiding as operating system upgrade installer

Ransom note
Ransom note

Users have been warned not to fall for a scam that pretends to be a Windows 10 installer but in fact installs ransomware instead.

The email scam was discovered by security researchers at Cisco. Hackers have sent out emails claiming to be from Microsoft with an email attachment. The scammers claim the zip file is the Windows 10 upgrade, but in fact is its origins are from an IP address in Thailand. The email colour scheme is very similar to the Windows 10 update app. It even goes as far as to say the message “has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.”

The researchers said another red flag was several characters in the email message that haven't parsed properly, which could be due to the hackers using a non-standard character set.

The attachment is in fact ransomware named CTB Locker. If installed, the malware encrypts all data on the system and demand a ransom be paid within 96 hours.

"Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware," according to Cisco's Talos security blog.

"The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user's files without having the decryption key reside on the infected system. Also, by utilising Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk."

Official upgrades will arrive via a Windows update and not via email. Users will see a notification when their system is ready to upgrade.

Fraser Kyne, principal systems engineer at Bromium told SCMagazineUK.com that that this is an example of how malware writers target their campaigns to have the most impact.

“People are understandably excited about the latest OS from Microsoft, and keen to get their hands on it. This simply translates to more clicks, and more people on the ransomware hook. Ransomware variations have been doubling every year for the past two years and continue to pose a significant threat to individuals and organisations,” said Kyne.

“Crypto-ransomware families are in a rapid ‘growth' phase, with BitCoin as the desired currency for ransom and TOR as the desired channel to communicate – making them increasingly hard to detect or trace.”

 Bryan Lillie, chief technical officer of cyber security at QinetiQ, told SCMagazineUK.com that updates like this are particularly suited to ransomware. “An ordinary phishing campaign may just require a user to click a link, at which point many will be stopped by their anti-virus software. When installing updates, users will happily run an executable file of the kind that allows ransomware to be installed. They are also more likely to click away warnings from anti-virus software, assuming that a Microsoft update must be safe,” he said.

Mark James, security specialist at ESET, told SCMagazineUK.com that the encryption used in the ransomware is known as Elliptic Curve encryption.

“It's quite a sophisticated form of encryption that encrypts the affected files with a unique key. This encryption may be used as it can create faster, smaller, and more efficient cryptographic keys than other encryption methods,” he said.

Richard Cassidy, technical director EMEA at Alert Logic told SCMagazineUK.com that the encryption used shows how well thought out this campaign is by the source who propagated it.

“Elliptical Curve Encryption (EEC) which in short is less resource-intensive in encrypting the data, given the smaller key sizes needed to achieve the same level of cipher as found in traditional algorithms,” he said.

“I would suggest that the use of EEC here shows a well educated cell and one that understands time is indeed money – the faster your data is encrypted the better and the use of more advanced algorithms to encrypt will add further weight to the intent behind the campaign and the fact that the only option to recover is to part with your money and meet the bitcoin ransom, unfortunately,” added Cassidy.

Carl Leonard, principal security analyst at Websense, said that the duration of the campaign was quite short, lasting 50 hours having started on 31 July.

“We observed the campaign was not just sent from Thailand, but also from Russia and Ukraine,” he told SCMagazineUK.com.

“This campaign highlights how malware authors continue to adopt more advanced practices.  Different encryption algorithms give lower overhead, which shows continual enhancement and investment by threat actors.”

Kyne said the only meaningful way to prevent these attacks is to isolate them. “You can simply make them irrelevant through micro-virtualisation. If the ransomware detonates in an isolation container it can encrypt whatever it likes, because it's not encrypting anything you care about; just a tiny VM that was created for it.”

“Don't play a game when the other team is infinitely better equipped than you. Change the game so that they can no longer play,” he added.