‘Windows 10 Free Upgrade’ Spam Infects PCs with CTB-Locker

Still waiting on Windows 10?

Well, just be sure that when you do upgrade, you’re either using the ‘Get Windows 10’ App that’s automatically installed eligible PCs via Windows Update, or by downloading it directly from Microsoft’s website.

Cybercriminals are hoping to cash-in on users waiting for their chance to upgrade to Windows 10 by sending out spam loaded with a fake Windows 10 installer. Spoiler alert: The ‘installer’ attached to the email won’t upgrade your PC to Windows 10, but it will install CTB-Locker ransomware!

Below is an example of one of the spam emails:

Windows 10 Spam

Screenshot Credit: Cisco

From: Microsoft (update@microsoft.com)
Subject: Windows 10 Free Update

Upgrade to Windows 10 for free

Windows 10 is familiar and easy to use. It includes an improved Start menu and is designed to startup and resume fast. Plus, itÂ’s packed with new innovations including Microsoft Edge Â- an all-new browser. Your personal files and apps youÂ’ve installed will all be waiting for you. We’ve designed the upgrade to be easy and compatible with the hardware and software you already use.

DonÂ’t miss out as this free offer wonÂ’t last forever. Upgrade today. Follow the attached installer and get started.

”Upgrading from Windows 7 or Windows 8? You will love Windows 10! ”

Your received this mandatory email service announcement to update you about important changes to your Microsoft product. © 2015 Microsoft, Inc., One Microsoft Way Redmond, WA 98052-6399, USA

This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

As you can see, the spammers do their best to make the email appear authentic by spoofing the sender’s address, using the blue color scheme, tacking on a disclaimer & message saying that the message was scanned for viruses!

That message is a total lie, of course. Recipients that open the Win10Installer.zip file attached to the email will have their files encrypted by CTB-Locker ransomware, aka Critoni (Microsoft) & Onion (Kaspersky). Cisco shared a video depicting this spam attack in action.

Hopefully victims of this attack have their data backed up as that’s the only way to restore their files. We don’t recommend paying the ransom.

Did you get this email?

If you received an email like the one shown above, it is recommended that you:

  • Do not download or open the attached file.
  • Delete the email immediately.

It’s too late: Did you fall for this email?

If your system has been infected with CTB-Locker then it is recommended that you:

  • Scan your system using antivirus or anti-malware.
  • Restore your data from backup or possibly by using file recovery software. (Note: We do NOT recommend paying the ransom!)

Need help removing a CTB-Locker infection? We provide malware removal services in San Diego! Call us at (619) 640-6444.

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@sdpcfix), or circling us on Google+.