As you know, Windows 10 is a free upgrade for Windows 7 and Windows 8.1 users. Since Microsoft is doling out the upgrade in phases, there are millions of eligible people still waiting their turn, and that's what the malicious email campaign is based on.
Cisco's security intelligence and research group called Talos discovered the spam campaign. It also dissected one of the emails for some telltale signs, of which there are several. For example, the email it looked at appears to have come from the email address "update at microsoft dot com," but a peek at the header shows that it actually originated from an IP address in Thailand.
Other signs to look for include:
- Blue and white color scheme
- Characters that don't parse correctly
- Techniques designed to make the email look authentic, such as a disclaimer message similar to the one used by Microsoft and a note claiming that the email was scanned for viruses by MailScanner
Savvy users aren't likely to fall for the scam, though less experienced users might. Even then, it requires downloading the attached ZIP file, extracting it, and running the executable.
The payload it carries is CTB-Locker, which is a ransomware variant. Those who fall prey to the scam will end up with their files encrypted and a demand for payment within 96 hours in order to decrypt them or have them locked up forever.
Bottom line? Be on the lookout for fake emails and, if applicable, warn your less savvy family and friends.