Beware: Fake Windows Update Emails Installs Cyborg Ransomware

In November 2019, a new spam email campaign was launched, pushing the Cyborg ransomware threat. The fake email claims to originate from Microsoft and urges victims to install the latest update for Windows.

The spam email has a subject line of "Critical Microsoft Windows Update!" and the body of the text reads, "Please install the latest critical update from Microsoft attached to this email". The bad punctuation and the fact that the email claims to carry the update file as an attachment should be the very first red flag to alert users that something is wrong. The attachment itself is not an executable or a .msi installer, as might be expected from an actual patch file, but a fake .jpg file.

The name of the malicious .jpg is randomized in every spam email, and the size is usually 28kb. The file is not an image, but a disguised .NET executable that will deliver the Cyborg ransomware payload to the victim's system. Opening the malicious .jpg file in a text editor reveals that it has a section named #Strings that contains a link to a GitHub URL hosting a file named "bitcoingenerator.exe." The file is downloaded from an account named "misterbtc2020" - now defunct and deleted after security experts from TrustWave investigated it. The real contents of the "bitcoingenerator.exe" are the guts of the Cyborg ransomware.

Once it executes, the ransomware encrypts its victim's files and appends the ".777" extension after each scrambled file. Affected file types include a huge number of extensions ranging from plain text documents to databases, media files, MS Office documents, archives, and PDFs. The ransom note is delivered in a file named "Cyborg_DECRYPT.txt" and contains the following text:

ALL YOUR FILES ARE ENCRYPTED BY CYBORG RANSOMWARE

Don't worry, you can return all your files!

All your files like documents, photos, databases and other important are encrypted

What guarantees do we give to you?

You can send one of your encrypted file and we decrypt it for free.

You must follow these steps To decrypt your files :

1) Send $500 bitcoin to wallet [Bitcoin wallet string]

2) write on our e-mail : marceldeneud at yandex dot com

Your personal ID: [alphanumeric string]

After encrypting all matching extension files, the ransomware also drops a copy of its executable named "bot.exe" in the root folder of the system drive.

Security researchers discovered multiple instances of Cyborg ransomware infections with different extensions used, which means a builder tool for the ransomware must exist, which means more bad actors could build their own versions and launch new attack campaigns in the future.