Windows users, beware! A fake email claiming to be from Microsoft about a Windows update is being used to infect devices with ransomware.
Security researchers atย Trustwave’s SpiderLabsย who spotted the malicious email campaign discovered that the fake emails are pushing people into installing a Windows 10 โcritical updateโ on their computers.
The subject of the email says โInstall Latest Microsoft Update now!โ or โCritical Microsoft Windows Update!โ The message in the email contains only one single line that says, โPlease install the latest critical update from Microsoft attached to this mailโ and an attached file.
Interestingly, the attached โupdateโ file is disguised as a .jpg file which is not a picture but actually an executable .NET downloader. This in turn downloaded a second executable file hosted on the Microsoft-owned GitHub.
“The file bitcoingenerator.exe will be downloaded from misterbtc2020, a GitHub account which was active for a few days during our investigation, but is now removed,” Trustwaveโs Diana Lopera said in a blog post.
“It is contained under its btcgenerator repository. Just like the attachment, this is .NET compiled malware, the Cyborg ransomware.”
The typical bitcoin-requesting Cyborg ransomware then encrypts all the files on the victimโs machine, locking their contents and also renaming all files to a .777 extension. Further, a ransom note titled “Cyborg_DECRYPT.txt” is placed on the victimโs desktop asking for US$500 in bitcoin to unlock the system files.
When the researchers searched for the ransomwareโs original filename they obtained and looked for it in VirusTotal. They found three other samples and discovered that a builder for the ransomware exists online.ย Further, they discovered that the Cyborg Ransomware is promoted through a YouTube video that linked to the builder that was hosted on GitHub.
“The GitHub account Cyborg-Ransomware was newly created too. It contains two repositories: Cyborg-Builder-Ransomware, and Cyborg-Russian-version,” Lopera wrote.
“The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the builder hosted at another website.”
Lopera explained why the Cyborg ransomware is a real danger to businesses and individuals alike by saying, โThe Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.โ
Although the associated GitHub account has since been removed, it is important for Windows users to remember that Microsoft never pushes patches to its operating systems via email.
Further, it is recommended that users who receive similar emails delete them right away. Also, it is advisable not to open any email attachments or links from unknown or untrusted sources.