Security Advisor

Windows 10 Update Ransomware On the Loose

Plus: Yahoo ads expose users to ransomware attack for four days.

It didn't take long for cybercriminals to take advantage of the Windows 10 release as an avenue to launch a ransomware campaign.

Late last week the Talos group, Cisco's security research team, uncovered a spam operation that is targeting users looking to upgrade to Windows 10. Fake e-mails disguising as Microsoft are being sent advertising the free upgrade to Windows 10. Once the attached zipped file is downloaded, extracted and executed, a system's files will be encrypted with CTB-Locker, a ransomware variant that operates in a unique fashion.

"The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user's files without having the decryption key reside on the infected system," read the Talos report.

Once the files are encrypted, users are presented with a standard ransom message, demanding payment for the encryption key. And to keep the whole transaction anonymous, payment through Bitcoin and transfer of the encryption keys through TOR occurs. The security group has released a video on exactly how this ransomware looks in an infected system.

While the Talos team hasn't given any specific numbers on how many victims may be out there, this campaign has the capability to find some success due to the staggered release of Windows 10. Those who are waiting for their number to be called have already been alerted that a message will be sent when their system is ready to update, which may lead to some dropping their guard when the malicious message is received.

"The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign," said Talos.

Talos recommends that users looking to avoid falling in this and similar ransomware traps routinely back up their data to an offline storage device and make sure to keep all antimalware software updated.

Ransomware Found Hidden in Yahoo Ads
Antimalware company Malwarebytes yesterday released a report that discovered attackers were hiding ransomware in Yahoo's paid ad network. Between July 28 and July 31, some ads that appeared on popular Yahoo sites, including, and, had been bought by attackers. Once clicked, the malware tried to take advantage of an Adobe bug to inject the popular CryptoWall ransomware on systems.

Due to the high traffic numbers for Yahoo sites, Malwarebytes said that the possible number of exposed victims over the four days could be in the millions. Once Yahoo was alerted, the ads were pulled and the addresses used to purchase the ad space had been blacklisted. The company also released the following statement:

"Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.

Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We'll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem."

Malwarebytes was quick to point out that users of its antimalware software would have been protected once the malicious ads were clicked on.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube