We constantly receive unwanted email ranging from spam, advertisements, solicitations and the like on a daily basis. There are also emails coming from companies that announces important things that we need to know. A good example is a product launching or product updates.
However, there is email campaign that has been pretending to be Microsoft. Most of the time the email would have the subject line ‘Install Latest Microsoft Windows Update now!’ or ‘Critical Microsoft Windows Update!’.
Just to educate our readers, Windows Update is automatically downloaded on your computer unless you turned off Windows updates manually. Never did they release Windows updates via email or SMS.
Interestingly enough, the email contains one line saying “Please install the latest critical update from Microsoft attached to this email”. Seem urgent and critical right? That is what they want you to think. Although there is an attachment that seems like a jpg file, it is actually an executable file waiting to run on your computer to install the ransomware.
If you mistakenly click on the email’s attachment, the hidden executable file downloads a bitcoingenerator.exe from a GitHub account with the name misterbtc2020. Just like with the attachment itself, this file is a .NET compiled malware known as the Cyborg ransomware.
Sad to say, it will activate the ransomware will encrypts files with the extension 777 and a ‘Cyborg_DECRYPT.txt’ file and also leaves a hidden ‘bot.exe’ file on the root drive of the computer.
There they found three other samples of this ransomware and discovered that a builder for it exists online. Even a Russian version is out there.
“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.”