Windows users, beware! A fake email claiming to be from Microsoft about a Windows update is being used to infect devices with ransomware.
Security researchers at Trustwave’s SpiderLabs who spotted the malicious email campaign discovered that the fake emails are pushing people into installing a Windows 10 “critical update” on their computers.
The subject of the email says “Install Latest Microsoft Update now!” or “Critical Microsoft Windows Update!” The message in the email contains only one single line that says, “Please install the latest critical update from Microsoft attached to this mail” and an attached file.
Interestingly, the attached “update” file is disguised as a .jpg file which is not a picture but actually an executable .NET downloader. This in turn downloaded a second executable file hosted on the Microsoft-owned GitHub.
“The file bitcoingenerator.exe will be downloaded from misterbtc2020, a GitHub account which was active for a few days during our investigation, but is now removed,” Trustwave’s Diana Lopera said in a blog post.
“It is contained under its btcgenerator repository. Just like the attachment, this is .NET compiled malware, the Cyborg ransomware.”
The typical bitcoin-requesting Cyborg ransomware then encrypts all the files on the victim’s machine, locking their contents and also renaming all files to a .777 extension. Further, a ransom note titled “Cyborg_DECRYPT.txt” is placed on the victim’s desktop asking for US$500 in bitcoin to unlock the system files.
When the researchers searched for the ransomware’s original filename they obtained and looked for it in VirusTotal. They found three other samples and discovered that a builder for the ransomware exists online. Further, they discovered that the Cyborg Ransomware is promoted through a YouTube video that linked to the builder that was hosted on GitHub.
“The GitHub account Cyborg-Ransomware was newly created too. It contains two repositories: Cyborg-Builder-Ransomware, and Cyborg-Russian-version,” Lopera wrote.
“The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the builder hosted at another website.”
Lopera explained why the Cyborg ransomware is a real danger to businesses and individuals alike by saying, “The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.”
Although the associated GitHub account has since been removed, it is important for Windows users to remember that Microsoft never pushes patches to its operating systems via email.
Further, it is recommended that users who receive similar emails delete them right away. Also, it is advisable not to open any email attachments or links from unknown or untrusted sources.