Scammers Launch Nefarious Email Campaign Disguising Ransomware As Windows 10

Windows 10 is off to a blazing fast start. The last official count had Windows 10 installed on more than 14 million devices in its first 24 hours, and unofficially there are now more than 67 million PCs and hybrids running the new OS. So naturally the bad guys are looking to capitalize on the situation, which they're doing via a nefarious ad campaign.

As you know, Windows 10 is a free upgrade for Windows 7 and Windows 8.1 users. Since Microsoft is doling out the upgrade in phases, there are millions of eligible people still waiting their turn, and that's what the malicious email campaign is based on.


Cisco's security intelligence and research group called Talos discovered the spam campaign. It also dissected one of the emails for some telltale signs, of which there are several. For example, the email it looked at appears to have come from the email address "update at microsoft dot com," but a peek at the header shows that it actually originated from an IP address in Thailand.

Other signs to look for include:

• Blue and white color scheme
• Characters that don't parse correctly
• Techniques designed to make the email look authentic, such as a disclaimer message similar to the one used by Microsoft and a note claiming that the email was scanned for viruses by MailScanner

Savvy users aren't likely to fall for the scam, though less experienced users might. Even then, it requires downloading the attached ZIP file, extracting it, and running the executable.

The payload it carries is CTB-Locker, which is a ransomware variant. Those who fall prey to the scam will end up with their files encrypted and a demand for payment within 96 hours in order to decrypt them or have them locked up forever.

Bottom line? Be on the lookout for fake emails and, if applicable, warn your less savvy family and friends.