Be Alert : Fake Windows Update Emails Installs Cyborg Ransomware


Recently, in November 2019 Fake Microsoft Windows Update emails were spammed with addressing the following subject lines that are:

Install the Latest Microsoft Windows Update now!
Critical Microsoft Windows Update!

As the email, mainly claim to be from Microsoft, that contains just one sentence in its email body which starts with two capital letters. Fake windows update emails direct the recipient’s attention to the attachment as the “latest critical update”.

Fake windows update emails install Cyborg ransomware was recently detected in November 2019. As it is identified as a new spam email campaign that is being launched, pushing the Cyborg ransomware threat. The fake email address claims to originate from Microsoft and urges victims to install the latest update for Windows. Though the spam email which has been detected has a subject line of “Critical Microsoft Windows Update!” and in the body of the text it is mention that reads, “Please install the latest critical update from Microsoft attached to this email”. However, one of the bad punctuation and the fact of Fake windows update emails installs Cyborg ransomware is that the email claims to carry the update file as an attachment and should be the very first red flag to alert users that something is wrong in it. The update file as an attachment itself is not an executable or a .msi installer, as might be expected from an actual patch file, but a fake .jpg file.

The .jpg is the name of the malicious file which is randomized in every spam email, and the size is usually 28kb. The file is not at all an image, but a disguised .NET executable that will deliver the Cyborg ransomware payload to the victim’s system. On opening the malicious containing .jpg file in a text editor reveals that it has a section named #Strings that contains a link to a GitHub URL hosting a file named “bitcoingenerator.exe.” The .jpg file is downloaded from an account which is named as “misterbtc2020” – now defunct and remove after security experts from TrustWave investigated it. The real contents of the “bitcoingenerator.exe” are the guts of the Cyborg ransomware.

In spite of all these facts, if once it gets executes, the ransomware encrypts its victim’s all files, data and appends the “.777” extension after each scrambled file. All the affected file types include a huge number of extensions ranging from plain text documents to databases, MS Office documents, archives, media files, and PDFs. However, the ransom note which is delivered by them is in a file named “Cyborg_DECRYPT.txt” and contains the following text:


After encrypting all matching extension files of it, the Cyborg ransomware also drops a copy of its executable named “bot.exe” in the root folder of the system drive.

Apart from all these the security researchers have discovered multiple instances of Cyborg ransomware infections with different extensions used, which means a developing tool for the ransomware must exist, which clearly means that more bad actors could build their own versions and launch new attack campaigns in the coming days and in future.

Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar