The dangers of opening suspicious emails: Crowti ransomware

The Microsoft Malware Protection Center (MMPC) has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits.

Crowti impacts both enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis. Cloud storage technologies such as OneDrive for Business can help with features such as built-in version history that helps you revert back to an unencrypted version of your files.

We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first before clicking on a link or opening the attachment. There is more advice to help prevent an infection from ransomware and other threats at the end of this blog.

The graph below shows how Crowti ransomware has impacted our customer during the past month.

Figure 1: Daily encounter data for Win32/Crowti ransomware

Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.

Figure 2:  Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014

Infection and installation

Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:

  • VOICE<random numbers>.scr
  • IncomingFax<random numbers>.exe
  • fax<random numbers>.scr/exe
  • fax-id<random numbers>.exe/scr
  • info_<random numbers>.pdf.exe
  • document-<random numbers>.scr/exe
  • Complaint_IRS_id-<random numbers>.scr/exe
  • Invoice<random numbers>.scr/exe

The attachment is usually contained within a zip archive. Opening and running this file will launch the malware. An example of spam email messages is shown below:

Figure 3: Email spam message with Win32/Crowti as an attachment

Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities. Some of the exploits used to distribute Crowti are:

In the past, we have also seen Win32/Crowti being installed by other malware, such as Upatre, Zbot, and Zemot.

Figure 4 shows a typical infection chain:

Figure 4: Crowti infection chain

File encryption

Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall. Below is a sample message shown once your files are encrypted.

Figure 5: Crowti encryption message

The links in the above message direct you to a Tor webpage asking for payment using Bitcoin.

Figure 6: Crowti payment request

On September 29, 2014 we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend, as shown below. This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company.

Figure 7: Crowti digital certificate

Protecting your PC

There is no guarantee that paying a ransom will give you access to your files or restore your PC to its pre-infection state. We do not recommend paying the ransom.

There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a habit of regularly updating your software can help reduce the risk of infection.

We also encourage you to join our Microsoft Active Protection Service Community (MAPS). We use the data we gather from MAPS to create better detections, and to respond as fast as we can. This feature is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1. You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS:

Figure 8: With the MAPS option enabled Microsoft anti-malware security product can take full advantage of Microsoft’s cloud protection service

As always, we also recommend running a real-time security product such as Microsoft Security Essentials or another trusted security software product. You can read more about Win32/Crowti and ransomware in general on the Microsoft Malware Protection Center website.


Comments (9)

  1. Vincent Rogiest says:

    I can't believe i'm the only one again leaving a comment.

  2. adwbust says:

    Yes it's enabled by default…and only in Basic membership! Change that to Advanced. You can keep it in Basic but please during MSE or Windows 8 and above installation, ask user to switch/choose Advanced! Tell them the perks of choosing Advanced. 😀

  3. steffy says:

    I just met this problem, it tricks me through an email that told me that I received a fax:( can anybody help me to recover my documents/pictures?

  4. adwbust says:

    MSE should employ a data shield of sorts similar to the one Panda cloud free previously had. Also, improve MSE's proactive detection (fuzzy cloud, on-run behavior) against the dropper and payload (encoder)! If you prefer to keep MSE "traditional" then
    I suggest that Smartscreen file reputation (origin, popularity) check be integrated with Windows' PE file execution prompt! Don't limit file reputation checks in IE 10/11 and its downloads. Can't MSE block encode behavior by a process that's not whitelisted
    by user?

    The recent Dennis Labs test used a sample set with majority of cryptowall and MSE is again the bottom loser of the batch tested. 🙁

  5. adwbust says:

    Create behavior signature to detect and report a process that searches targeted paths and file types, encodes them, deletes shadow copies and disables targeted Windows services and components. But the issue here is not cure but prevention! If only MSE
    detected the dropper and payload and prevented access to targeted paths, file types and shadow copies for encoding/deletion! Or if only Smartscreen file reputation was integrated with Windows (not IE) and it stopped the file from being executed by user! Windows
    should also prevent disabling of its services and components by unprivileged process in first place! MMPC and Windows 10 devs are you listening?!

  6. adwbust says:

    Hey Windows 10 devs, maybe you can bundle Onedrive with Windows 10 and during Windows installation setup, ask user to set backup interval ~ recommended is weekly. Set My Documents path and allow user to add custom paths or file types for backup upload.
    We shouldn't let the bad guys be a step ahead. We're more creative and ingenius than they are!!!

  7. Marta says:

    Is this true?

    Microsoft Account

    Dear Hotmail Customer,

    It has come to our notice that your account is not yet upgraded after several notice of verification you are yet to upgrade your account.
    Kindly be informed that we'll not be held responsible for your account deactivation once you fail to upgrade your account after this Final Warning. To remove your account from our deactivation list kindly click Upgrade now below

    To upgrade click: Upgrade Now

    Click Here To Unblock Or Move This Message Inbox And Click Here

    YOU CLICK AT Outlook Windows Connector ADDRESS.

    Thanks for using Outlook!
    The Microsoft account team
    Copyright © 2014 Microsoft.

  8. adwbust says:

    I guess if that is legit, youll should see an entry on the official Outlook team technet blog? Always check official blogs or social accounts for announcements. Flag that as spam!

  9. ENGİN KORKMAZ says:

    vvv uzantılı virüsü nasıl çözerim

Skip to main content