"Updating the system to Windows 10" and CTB-Locker in spam

If you are one of those users who will try to upgrade your system to Windows 10 in the near future, you should be especially careful about the fake e-mails sent on behalf of Microsoft. Internet criminals citing Microsoft and the recent problems with access to the company's servers help to be happy and offer a free system update after downloading and running the attachment.

According to the McAfee Labs Threats Report May 2015 report , in 2015 ransomware threats harvest their harvests 165% more often than even twelve months ago. The most popular of them are CTB-Locker, Teslacrypt, new versions of CryptoWall, TorrentLocker and BandarChor. However, ransomware from the CTB family proved to be the most dangerous, because for network communication with the C2 server they use the TOR network, thanks to which it is almost impossible to locate and remove the C2 server.

Security experts from Cisco Talos Security have analyzed several of these emails and it turned out that spam contains a ZIP attachment, after unpacking which computer will be infected with a threat called CTB-Locker. All executable files will be encrypted.

The cybercriminals in this attack tried to get a good spoofing of the e-mail address (spoofing), which even after expanding the recipient looks like it was sent from the domain microsoft.com - update @ microsoft [.] Com. After a closer examination of the message header, it turns out that the IP address from which spam was sent was registered in Thailand.

Also, the footer of the message may at first glance suggest that the message is safe and scanned by the MailScanner anti-spam solution.

Unknown samples

  • Topic: Windows 10 Free Upgrade
  • Attachment: Win10Installer.zip (in the middle of Win10Installer.exe)
  • SHA256: ec33460954b211f3e65e0d8439b0401c33e104b44f09cae8d7127a2586e33df4 (ZIP)
  • SHA256: aa763c87773c51b75a1e31b16b81dd0de4ff3b742cec79e63e924541ce6327dd (EXE)

During data encryption, ransomware uses CryptoAPI to generate random data as well as Elliptic Curve Cryptography (ECC) cryptography mechanisms, which at the moment make recovery of the data attacked in this way impossible. Moreover, thanks to the use of the TOR network and the crypto of the Bitcoin currency, the spam campaign can remain animated and difficult to detect.

Other issues are also interesting. The analyzed CTB-Locker samples differ from the other variants that malware researchers from Cisco Talos encountered. First, CTB actually encrypts files using ECC, and secondly CTB-Locker gives users only 96 hours to pay a ransom - which has long been the standard, but the key difference is the way in which the malware communicates with the C2 server. The analyzed CTB-Locker sample for obtaining IP addresses of C2 servers used infected websites based on CMS WordPress, while communication of the infected machine with IP addresses of WordPress-based websites takes place on non-standard ports (9001, 443, 1443 and 666).

How to protect yourself?

In the case of threats that encrypt data, preventive protection is almost the only and best way out. Firstly, you can always use the latest Arcabit software , which with SafeStorage will restore infected files in several seconds - even after encrypting them, secondly make sure that the antivirus software has an automatic sandbox or "on demand", which makes it "uncertain" files can be run in an isolated and secure, virtualized runtime environment. Third, backup - in moments of horror it is worth having a system backup / snapshot or backup of all the most-needed data.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.