In our ongoing effort to provide malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:
Crowti, a file encryption threat, is one of the top prevalent ransomware families. We have recently seen it sent as a spam email attachment with formats similar to those shown below:
Figure 1: Email spam samples delivering Crowti as an attachment
As well as using spam emails as the entry point or infection vector, Crowti can also be downloaded by exploit kits (for example, Axpergle - popularly known as the Angler exploit kit), and bundled with other malware (for example Win32/Fareit and Win32/Fleercivet).
Figures 2 and 3 show the prevalence and location of Crowti malware infections during the past two months:
Figure 2: Crowti unique machine infections
Figure 3: Top countries affected by Crowti
MSRT cleanup for Crowti will remove executable files and registry entries related to the malware. It will also restore the default system settings. There is more information about the Crowti malware family at the following links:
As we have mentioned in our previous blog, The dangers of opening suspicious emails: Crowti ransomware, there are no guarantees that paying the ransom will give you access to your files or restore your PC to its pre-infection state. Paying the ransom is not encouraged. If your PC is already infected you might be able to recover your files.
You can take these security precautions to help prevent ransomware attacks in both consumer and enterprise machines:
- Be aware of the dangers in opening suspicious emails. Do not open email attachments or links from untrusted sources.
- Perform regular offline back up.
- Keep Microsoft Windows and your Microsoft security software up-to-date.
- Keep your applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Crowti can be installed by the Axpergle exploit kit (aka Angler), which targets vulnerabilities found in browser and third-party browser plugins. Making a good habit of regularly updating your software can help reduce the risk of infection.
- Follow the appropriate Exchange Online Protection instructions to suite your business needs.
- Learn some insights on how Office 365 can help you block spams using machine learning. See First look at Advanced Threat Protection: new tools to stop unknown malware & phishing attacks for details.
- Submit spam and non-spam messages to Microsoft for analysis.
- Keep your Microsoft Active Protection Service (MAPS) enabled. Customers using MAPS can take advantage of Microsoft's cloud protection and are protected from the latest threats. We use the data we gather from MAPS to create better detections, and to respond faster. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1