Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CTB-Locker ransomware being pushed by fake Windows 10 Update emails


  • Please log in to reply
18 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:39 PM

Posted 03 August 2015 - 01:16 PM

With the highly publicized release of Microsoft's Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco's Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.

win10_blacked_out.png
Image of fake Windows Update Email courtesy of Cisco

As you can see the email pretends to be from the email address update@microsoft.com and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft's site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.

Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.

win10installer-file.jpg

It isn't until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.

win10installer-file-properties.jpg

Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.

ctb-locker.jpg

At this point, the computer's data will be encrypted and there is not much that can be done about it.


BC AdBot (Login to Remove)

 


m

#2 gigawert

gigawert

    Computer Consultant


  • Members
  • 1,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, California
  • Local time:09:39 PM

Posted 03 August 2015 - 01:25 PM

That sounds creepy... You can't even hook up your hard drive to another computer and access the files?


John 3:16

 "God loved the world so much that He gave His uniquely-sired Son, with the result that anyone who believes in Him would never perish but have eternal life."


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:39 AM

Posted 03 August 2015 - 01:37 PM

That sounds creepy... You can't even hook up your hard drive to another computer and access the files?

Since the files themselves are encrypted, no you can't.

#4 gigawert

gigawert

    Computer Consultant


  • Members
  • 1,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, California
  • Local time:09:39 PM

Posted 03 August 2015 - 01:39 PM

I thought it was some phony message. Now it seems even creepier...


John 3:16

 "God loved the world so much that He gave His uniquely-sired Son, with the result that anyone who believes in Him would never perish but have eternal life."


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:39 AM

Posted 03 August 2015 - 01:48 PM

There used to be those "phony messages" ransomware like Reveton, but they have quickly fallen out of favor and replaced with these crypto ransomware because the damage is very real with these. And victims are commonly forced to pay since they will lose all their files without backups.

#6 gigawert

gigawert

    Computer Consultant


  • Members
  • 1,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, California
  • Local time:09:39 PM

Posted 03 August 2015 - 01:51 PM

How much does it usually cost to have your files decrypted?


John 3:16

 "God loved the world so much that He gave His uniquely-sired Son, with the result that anyone who believes in Him would never perish but have eternal life."


#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:39 AM

Posted 03 August 2015 - 01:55 PM

It depends on the ransomware, and even the variants of the same ransomware (different affiliates want different payments).

#8 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 03 August 2015 - 02:07 PM

I wouldn't pay for "further" development of ransomware. TimeFreeze is good against these stuff :D



#9 Angoid

Angoid

  • Security Colleague
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:05:39 AM

Posted 04 August 2015 - 02:43 AM

I guess I knew it wouldn't be long before the criminal underground exploited this.

 

Grinler linked the article about CBT locker in his article, but here it is again:

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

 

Although you can receive legitimate emails from Microsoft if you're signed up to certain services, etc. they never send attachments AFAIK.  So if you receive an email purportedly from Microsoft telling you to run an attached executable file, then you should be suspicious straight away.


Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network

#10 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 04 August 2015 - 10:35 AM

...So if you receive an email purportedly from ANYONE telling you to run an attached executable file, then you should be suspicious straight away.

There. I fixed it for you!

But, seriously, the worst part is how legitimate this looks. I have seen malicious e-mails with far less polishing that still managed to trick end users. When something this legit comes along, you know the success rate is going to be painful.

Edited by PresComm, 04 August 2015 - 10:36 AM.


#11 BeckoningChasm

BeckoningChasm

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 04 August 2015 - 02:14 PM

Ideally, a user should always have an up-to-date offline backup.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:39 PM

Posted 04 August 2015 - 04:21 PM

Microsoft Safety & Security Center

...Cybercriminals often use the names of well-known companies, like ours, in their scams....We do not send unsolicited email messages....If you receive an unsolicited email message or phone call that purports to be from Microsoft...delete the message or hang up the phone.

Avoid scams that use the Microsoft name fraudulently
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Cauthon

Cauthon

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 05 August 2015 - 06:48 PM

I ran into one of those today, and it may have downloaded its file, but fortunately I checked here before going any farther and found this thread. I shut off the modem to prevent any further contact, and ran MBAM, which checked about 400,000 items and did not find any problems. Just now, after reading some more, I asked Windows Explorer to search for "iMacros" and it said it did not find that. OTOH, I do not have a lot of confidence in Windows Explorer for finding malware files, especially in Windows 7.

 

I also ran Hijack this, shortly after the beginning of this incident, and I copied the log to a spreadsheet and told it to search for "macro" and it found that word in one item but it does not appear to be Imacro.

 

Toward the beginning I also told Windows Explorer to list all files by date, hoping to be able to spot new files added today, but there were so many files that I couldn't check them. Life was easier in the good old days when the operating system was not continuously re-inventing itself, changing just for fun:-(

 

So, I may be ok. I do not recall any popup from Windows 7, asking if it is OK to download a file, and so far I have not found the file. I certainly will not be opening it if I do find it:-)

 

Any suggestions for where do we go from here, which is the way that's clear? I read somewhere that people have tried clearing an area of land mines by driving a herd of pigs over the ground; I suppose I could try that but I don't know anybody around here who raises pigs, and they would probably make quite a mess of the computer, so I'm hoping to find some other solution:-)


Edited by Cauthon, 05 August 2015 - 07:00 PM.


#14 Cauthon

Cauthon

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 06 August 2015 - 08:07 AM

So, so I cranked up the computer this morning and here is a cheery notice saying my free upgrade is ready; I suppose that means that their file is in my machine somewhere, and something started up with Windows, but it has not killed my files yet. Other software seems to be running OK. MBAM started up automatically and scanned 401,541 items and did not find anything. I have Avast hunting now (always did enjoy hunting) but it is going to take a while. I have not dared to try to close the message, in case any contact with it might set it off. I plan to wait until Avast gets done, in case it finds something, then shut down and re-start in safe mode again and go hunting.

 

I have a nice, shiny new external hard drive that I just bought recently and have not done much with. I started it up once and I was surprised to see that before I told it to do anything it had a copy of the recycle bin from my computer on it. So my plan for that is to run in safe mode, copy everything that is on the external drive into a new folder on the main hard drive, then erase whatever I can erase off the external drive, and divide it into partitions, and start backing stuff up from the main drive. The new visitor has made backups a higher priority so I hope to get into that today.

 

Any advice would be appreciated.



#15 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:39 AM

Posted 06 August 2015 - 08:16 AM

Hi Cauthon,

If you have the Get Windows 10 icon in your system tray, that means it is the legit upgrade notification from Microsoft. The aforementioned ransomware is distributed via emails.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users