Fake Windows 10 Update Installs “Cyborg” Ransomware

A malicious spam campaign that informs victims it contains a “critical Windows update” instead leads to the installation of Cyborg ransomware.

Fake Microsoft Windows Update emails were spammed with the following subject lines:

  • Install Latest Microsoft Windows Update now!
  • Critical Microsoft Windows Update!

This email-based threat for fake windows update is recently discovered by researchers at Trustwave.

When the mail is opened, all a user can find is a single line of body along with the fake update file. Typically, malicious emails include a longer, socially engineered message intended to lure victims into clicking malicious files. Although it’s an executable file, it carries .jpg as its extension. Spoofing the file extension of an executable file is a common trick to evade email gateways. The attached executable file further downloads another executable called bitcoingenerator.exe from a now-defunct GitHub account named misterbtc2020. The second executable contains the payload for the Cyborg Ransomware that further encrypts the files on the victim’s machine and leaves a ransom note on the desktop.

The most crucial element of the analysis is that the Cyborg ransomware creators also left a trail from the executable that led researchers to discover the malware builder hosted on the GitHub developer platform.

“The 7Zip file ‘Cyborg Builder Ransomware V 1.0.7z’ from Cyborg-Builder-Ransomware repository was uploaded two days before GitHub account misterbtc2020 hosted the Cyborg ransomware executable. It contains the ransomware builder ‘Cyborg Builder Ransomware V 1.0.exe.’

To unlock or decrypt the system files, the Cyborg ransomware demands the victim to send $500-worth of Bitcoin to a wallet address mentioned in the text file.

SpiderLabs researchers also found 3 samples of the Cyborg ransomware already existing in the database of VirusTotal. “The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” according to the researchers. “It can be spammed using other themes and be attached in different forms to evade email gateways.”

Remediation:

All Windows users are advised not to open any such emails and only download the latest updates via the built-in Windows Update tool.