The Microsoft Malware Protection Center (MMPC) has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits.
Crowti impacts both enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis. Cloud storage technologies such as OneDrive for Business can help with features such as built-in version history that helps you revert back to an unencrypted version of your files.
We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first before clicking on a link or opening the attachment. There is more advice to help prevent an infection from ransomware and other threats at the end of this blog.
The graph below shows how Crowti ransomware has impacted our customer during the past month.
Figure 1: Daily encounter data for Win32/Crowti ransomware
Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.
Figure 2: Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014
Infection and installation
Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:
- VOICE<random numbers>.scr
- IncomingFax<random numbers>.exe
- fax<random numbers>.scr/exe
- fax-id<random numbers>.exe/scr
- info_<random numbers>.pdf.exe
- document-<random numbers>.scr/exe
- Complaint_IRS_id-<random numbers>.scr/exe
- Invoice<random numbers>.scr/exe
The attachment is usually contained within a zip archive. Opening and running this file will launch the malware. An example of spam email messages is shown below:
Figure 3: Email spam message with Win32/Crowti as an attachment
Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities. Some of the exploits used to distribute Crowti are:
Figure 4 shows a typical infection chain:
Figure 4: Crowti infection chain
Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall. Below is a sample message shown once your files are encrypted.
Figure 5: Crowti encryption message
The links in the above message direct you to a Tor webpage asking for payment using Bitcoin.
Figure 6: Crowti payment request
On September 29, 2014 we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend, as shown below. This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company.
Figure 7: Crowti digital certificate
Protecting your PC
There is no guarantee that paying a ransom will give you access to your files or restore your PC to its pre-infection state. We do not recommend paying the ransom.
There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a habit of regularly updating your software can help reduce the risk of infection.
We also encourage you to join our Microsoft Active Protection Service Community (MAPS). We use the data we gather from MAPS to create better detections, and to respond as fast as we can. This feature is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1. You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS:
Figure 8: With the MAPS option enabled Microsoft anti-malware security product can take full advantage of Microsoft’s cloud protection service
As always, we also recommend running a real-time security product such as Microsoft Security Essentials or another trusted security software product. You can read more about Win32/Crowti and ransomware in general on the Microsoft Malware Protection Center website.