Fake Windows 10 Update Installs “Cyborg” Ransomware

April 20, 2020

A malicious spam campaign that informs victims it contains a “critical Windows update” instead leads to the installation of Cyborg ransomware.

Fake Microsoft Windows Update emails were spammed with the following subject lines:

Install Latest Microsoft Windows Update now!
Critical Microsoft Windows Update!

This email-based threat for fake windows update is recently discovered by researchers at Trustwave.

When the mail is opened, all a user can find is a single line of body along with the fake update file. Typically, malicious emails include a longer, socially engineered message intended to lure victims into clicking malicious files. Although it’s an executable file, it carries .jpg as its extension. Spoofing the file extension of an executable file is a common trick to evade email gateways. The attached executable file further downloads another executable called bitcoingenerator.exe from a now-defunct GitHub account named misterbtc2020. The second executable contains the payload for the Cyborg Ransomware that further encrypts the files on the victim’s machine and leaves a ransom note on the desktop.

The most crucial element of the analysis is that the Cyborg ransomware creators also left a trail from the executable that led researchers to discover the malware builder hosted on the GitHub developer platform.

“The 7Zip file ‘Cyborg Builder Ransomware V 1.0.7z’ from Cyborg-Builder-Ransomware repository was uploaded two days before GitHub account misterbtc2020 hosted the Cyborg ransomware executable. It contains the ransomware builder ‘Cyborg Builder Ransomware V 1.0.exe.’

To unlock or decrypt the system files, the Cyborg ransomware demands the victim to send $500-worth of Bitcoin to a wallet address mentioned in the text file.

SpiderLabs researchers also found 3 samples of the Cyborg ransomware already existing in the database of VirusTotal. “The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” according to the researchers. “It can be spammed using other themes and be attached in different forms to evade email gateways.”

Remediation:

All Windows users are advised not to open any such emails and only download the latest updates via the built-in Windows Update tool.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Fake Windows 10 Update Installs “Cyborg” Ransomware

Security Team

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure