Hackers Sending Fake Windows 10 Upgrade Ransomware Email, Encrypts Every File

It has not been a week, yet hackers have begun to exploit existing Windows users’ computer by sending them a ransomware, via spoofed email, which instantly encrypts each and every file that exists on the computer.

The zipped attachment found in the email, which seems like Windows 10 sent by Microsoft, is not the operating system file but a ransomware.

Windows 10 was officially unveiled to public on July 29th as a free of charge upgrade for every Windows 7 and Windows 8 users. And till date, more than 14 million systems have been successfully upgraded to the latest release of Windows, but still millions are waiting to receive an official update notification from Microsoft.

There is an app released by Microsoft called Get Windows 10 which notifies the user if they got a green signal to upgrade their computer. Till then, the app shows a simple message that reads “Watch for your notification so that you can start your upgrade. Your notification to upgrade could come as soon as a few days or weeks.”

Researchers over at Cisco has warned all the impatient Windows users to not to fall for a Windows 10 upgrade scam, and the fact that users must have to wait for the upgrade to be available makes them even more vulnerable to this scam.

Hackers have seen this simple notification message as an opportunity to exploit users who are impatient to upgrade their existing Windows to the latest release. Exploiters are sending out spoofed email about Windows 10 upgrade along with a zipped attachment that once executed will automatically install a ransomware on the targeted computer system, eventually encrypting all the files, pictures, documents, and other important data that exists on the hard drive.

Scrutinizing the Ransomware Email

The team of researchers has scrutinized the spoofed email and they noted down four key indicators in the message, which every user must need to watch out for.

To begin with, you have to watch for the from email address. The hackers have skilfully spoofed the sender’s email address to make it look like it is sent by Microsoft i.e. <update@microsoft.com>. This is what makes the targeted receiver to further read the email. Yet a closer look at the header section of the email reveals a fact that the email is originated from the Internet Protocol (IP) address allocated to Thailand.

Secondly, to further spoof the email and convince the receiver to believe that it is sent by Microsoft, the hackers have tried their best to make use of similar color scheme being used by Microsoft.

Thirdly, the most easily notable indicator. The researchers have found a couple of red flags linked with the email message. There are many characters that don’t parse correctly. This happened because the hackers were using a non-standard character set while producing the email.

Fourthly, to increase the authenticity of email, the hackers have incorporated a disclaimer message that looks exactly like the one used by Microsoft i.e. “This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.” Furthermore, to trick the targeted users into believing that the attachment is not malware, the closing message also linked to MailScanner, which is an authentic open source email filtration website.

With permission from Hack Read. Farzan Hussain. 2015. https://www.hackread.com/hackers-sending-windows-10-ransomware-email/.  Date of access: 7 Augustus 2015.