Trustwave’s SpiderLabs and its security staff discovered a malicious campaign that sends urgent emails in the name of Microsoft in order to infect the system of the user with the Cyborg ransomware.
Users get an email with the subject line “’Install Latest Microsoft Windows Update now!” or “’Critical Microsoft Windows Update!”. This is suspicious first of all because Microsoft never sends emails with updates, but it pushes them through its operating systems. the email only has one line: “Please install the latest critical update from Microsoft attached to this email.” The fake email also has a fake attachment, with a .jpg file extension, which is not a picture, as you might believe, but an executable file.
When you click the attachment of the email, the executable file will download another file that is called “bitcoingenerator.exe” from a GitHub account that has the name misterbtc2020. Just as it happens with the attachment, the file is a .net malware, that’s known as the Cyborg ransomware. When you activate it, it encrypts all of your files from your system, and it adds their own filename, with a file extension, 777. There’s also a ransom message, with the filename ” Cyborg_DECRYPT.txt,” which will appear in your desktop, letting you know that your computer is now compromised. It also leaves a copy of itself that’s called ‘bot.exe,’ which is placed in the infected drive.
Researchers from Trustware tried to understand the variants of this ransomware better, and they searched the original filename of it. They looked for it in VirusTotal. They found three other variants of this ransomware and discovered that there’s a builder of it online. They also found the GitHub account that had the source with the builder and another one with a link to a Russian version of the builder.