Microsoft has detected a huge spike in a relatively new member of malware that encrypts victims’ files until payment is delivered.
Microsoft has warned Windows users to take extra caution when opening suspicious email after detecting an eight fold increase since early October in the number of daily “encounters” Windows have had with a piece of ransomware called Win32/Crowti or just "Crowti".
Encounters with the malware have risen from about 500 per day at the beginning of October to over 4000 per day on October 15, according to Microsoft’s telemetry data.
By encounters, Microsoft means that computers aren’t necessarily infected but could have been after exposure through methods to deliver the malware, such as spam of a compromised website.
Most Windows computers affected by the malware are in the US, which accounted for 71 per cent of encounters, followed by Canada, France, Australia and the UK -- all below six per cent each.
The malware poses the same threat as the current kingpin of crypto-ransomware, CryptoWall, which Dell SecureWorks recently revealed had infected over 600,000 computers in the six months to August, netting its operators $US1 million through ransom demands that ranged $US100 to $US2000.
According to Microsoft, Crowti also presents itself as CryptoWall and like that malware, asks for payment in Bitcoin that needs to be made over a Tor encrypted hidden website. In June, Crowti was demanding approximately $US1000 in Bitcoin before its operators are willing to hand over the decryption key.
Microsoft notes in its writeup on Crowti that it “deletes shadow files to stop you from restoring your files from a local backup.” While victims ideally would be able to restore their computers off a complete backup, Microsoft points out that cloud storage technologies such as its own OneDrive for Business may help due to version history features that allow the user revert to unencrypted versions of files.
Like other ransomware, Crowti is being distributed via spam campaigns with email attachments contained in .ZIP files posing as invoices or faxes, designed to dupe victims into installing the malware.
The other method of distribution are exploit kits that are designed to install malware on computers running outdated software when users visit a compromised website. Exploit kits mentioned by Microsoft include Nuclear, RIG, and RedKit V2. The exploits are for flaws that Adobe and Oracle have already patched, highlighting the importance of running up to date software.
Microsoft offered the following advice to minimise the impact of ransomware in the event a system is compromised:
“As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a habit of regularly updating your software can help reduce the risk of infection.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.