Alert Priority High
4 August 2015

Ransomware disguised as an installer of the new Microsoft Windows 10 operating system is encrypting Australian user and business computers.

The ransomware resides in an email that claims to be from Microsoft which offers a free upgrade to Windows 10. The email contains a zip file attachment, which contains a program labelled as the Windows 10 installer. However, if you run this program, it will encrypt any important files, including word documents and photos on your computer.

If you receive an email offering a free upgrade to Windows 10, we advise that you delete the email and do not open it or any attachments.

Windows users interested in upgrading their computer can register via Microsoft’s official website. Windows 10 updates will then be facilitated by a program on your computer, not via an email offer.

Security researchers at Cisco have provided detailed technical information on the attack on their blog, and a video showing the consequences of running the ransomware program. Please note this video was recorded in a very carefully controlled environment, created and operated by security experts. We advise that you do not run the ransomware program in any circumstance.

Business users should check upgrades with their IT departments, and not attempt to perform such activities themselves.

Businesses are also advised to be vigilant in protecting their existing computer systems and in ensuring that their critical data is backed up in case an attack does occur. Encrypted data could then be recovered from backup copies.

Stay Smart Online has provided alerts about a number of ransomware attacks in the past, including the Cryptowall 3.0 attack in June 2015.

The current Windows 10  attack does not use exploits, and relies instead on the user being deceived into running the malware.

While there have been reports that files are recovered if the ransom is paid, this does not protect your computer against further attacks. This makes is possible for the attacker to simply encrypt your files again. For this reason, we do not recommend that you pay the ransom, and instead seek immediate technical advice.

Staying Safe

In order to protect yourself and your business from this attack, be cautious when clicking any link containing free software or other offers.

If your computer is compromised, seek immediate technical advice to remove the ransomware from all infected computers and recover the files from backup.

If your computer has been compromised, you can report the incident to the Australian Cybercrime Online Reporting Network (ACORN).

ACORN provides information on how to recognise and avoid common forms of cybercrime, such as hacking, online scams, online fraud, identity theft, attacks on computer systems and illegal or prohibited content, as well as offering advice to those who have fallen victim.

ACORN makes it easier and more convenient to report cybercrime to a law enforcement agency.

More information

Stay Smart Online has information on protecting yourself from malware that is spread via spam, and how to set automatic updates on your computer. Our previous alert on Cryptowall contains more general information on protecting yourself from other ransomware attacks.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.