As you can see the email pretends to be from the email address firstname.lastname@example.org and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft's site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.
Image of fake Windows Update Email courtesy of Cisco
Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.
It isn't until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.
Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.
At this point, the computer's data will be encrypted and there is not much that can be done about it.