Microsoft flags 800 per cent spike in crypto ransomware that demands $US1000

Encounters with the malware have risen from about 500 per day at the beginning of October to over 4000 per day on October 15

Microsoft has detected a huge spike in a relatively new member of malware that encrypts victims’ files until payment is delivered.

Microsoft has warned Windows users to take extra caution when opening suspicious email after detecting an eight fold increase since early October in the number of daily “encounters” Windows have had with a piece of ransomware called Win32/Crowti or just "Crowti".

Encounters with the malware have risen from about 500 per day at the beginning of October to over 4000 per day on October 15, according to Microsoft’s telemetry data.

By encounters, Microsoft means that computers aren’t necessarily infected but could have been after exposure through methods to deliver the malware, such as spam of a compromised website.

Most Windows computers affected by the malware are in the US, which accounted for 71 per cent of encounters, followed by Canada, France, Australia and the UK -- all below six per cent each.

The malware poses the same threat as the current kingpin of crypto-ransomware, CryptoWall, which Dell SecureWorks recently revealed had infected over 600,000 computers in the six months to August, netting its operators $US1 million through ransom demands that ranged $US100 to $US2000.

According to Microsoft, Crowti also presents itself as CryptoWall and like that malware, asks for payment in Bitcoin that needs to be made over a Tor encrypted hidden website. In June, Crowti was demanding approximately $US1000 in Bitcoin before its operators are willing to hand over the decryption key.

Microsoft notes in its writeup on Crowti that it “deletes shadow files to stop you from restoring your files from a local backup.” While victims ideally would be able to restore their computers off a complete backup, Microsoft points out that cloud storage technologies such as its own OneDrive for Business may help due to version history features that allow the user revert to unencrypted versions of files.

Like other ransomware, Crowti is being distributed via spam campaigns with email attachments contained in .ZIP files posing as invoices or faxes, designed to dupe victims into installing the malware.

The other method of distribution are exploit kits that are designed to install malware on computers running outdated software when users visit a compromised website. Exploit kits mentioned by Microsoft include Nuclear, RIG, and RedKit V2. The exploits are for flaws that Adobe and Oracle have already patched, highlighting the importance of running up to date software.

Microsoft offered the following advice to minimise the impact of ransomware in the event a system is compromised:

“As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a habit of regularly updating your software can help reduce the risk of infection.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: The week in security: Apple security scrutinised; certifications to boost cloud appeal

Join the CSO newsletter!

Error: Please check your email address.

Tags canadadirectors for CSO AustraliaDell SecureWorksWin32/CrowtiWindowsCrowticrypto ransomwareOneDriveCryptoWallFrancepaymentmalwareUKEnex TestLabMicrosoftAustraliaCSO AustraliaBitcoin

More about CSODellEnex TestLabMicrosoftOracleSecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place