To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Don’t click on that Windows 10 update email

Windows 10 Cortana

Malware writers take advantage of expectant Windows users by holding PCs to ransom

Malware writers are exploiting people’s eagerness to get hold of Windows 10. A new attack that purports to offer an upgrade to the new operating system actually encrypts all of the files on a user’s PC, forcing the owner to pay a ransom to unlock them. 

Microsoft is in the process of rolling out Windows 10, which is being delivered on a staggered basis to prevent Microsoft’s servers being dragged down under the weight of traffic. The ransomware writers are taking advantage of this situation by sending out emails purporting to come from Microsoft, inviting users to click to upgrade. 

The attached payload doesn’t contain the operating system, but a Zip file which encrypts all the personal data on the user’s PC and gives them 96 hours to pay a ransom to retrieve the files. “Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware,” explains a blog from Cisco’s security research group, Talos, which discovered the attack. “The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilising Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk.”

The attackers spoof their email address so that it appears to come from “”. However, there are some telltale signs that the email is not genuine. Apostrophes are displayed incorrectly, for example, suggesting the attackers are using a non-standard character set to construct the emails (embedded below). 

The official upgrade arrives via Windows Update, and not via email. Users will receive a notification when Windows 10 has been downloaded and is ready to install. 

People who click on the ransomware shouldn’t pay to release their files, as there’s no guarantee that the malware writers will honour their word or that they haven’t left any malicious files behind to perform a repeat attack at a later date. Users should instead rely on data backups and perform a clean installation of Windows. 

Read more