Connect with us

Hi, what are you looking for?


Malware & Threats

Fake Windows Update Delivers Cyborg Ransomware

A fake Windows Update spam campaign has been dropping the Cyborg ransomware. The mail delivery mechanism claims to come from Microsoft. It directs the potential victim to an attachment described as the ‘latest critical update’.

A fake Windows Update spam campaign has been dropping the Cyborg ransomware. The mail delivery mechanism claims to come from Microsoft. It directs the potential victim to an attachment described as the ‘latest critical update’.

“The fake update attachment,” writes Trustwave (who discovered the campaign), “although having a ‘.jpg’ file extension, is an executable file. Its filename is randomized and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.”

If the attached file is clicked, it downloads the ultimate payload from Github. The file is named bitcoingenerator.exe contained under its btcgenerator repository. That’s ironic, because the file is really the Cyborg ransomware, and the only bitcoin generated is any bitcoin paid by the victim as ransom. In the sample ransom letter shown by Trustwave, the demand is for $500 in bitcoin.

The original name for bitcoingenerator.exe is syborg1finf.exe.

Cyborg (the name is provided in the malware’s ransom note, which states ‘ALL YOUR FILES ARE ENCRYPTED BY CYBOG RANSOMWARE’) is not a well-known ransomware. In order to get more knowledge, Trustwave searched VirusTotal looking for the original filename, syborg1finf.exe, and found three other samples of Cyborg. The file extension applied to encrypted files differs between the samples found on VirusTotal and the sample found by Trustwave. 

“This is an indication that a builder for this ransomware exists,” says Trustwave. “We search the web and encountered the Youtube video about ‘Cyborg Builder Ransomware V1.0 [ Preview free version 2019 ]’. It contains a link to the Cyborg ransomware builder hosted in Github.”

Trustwave used this builder to generate a new sample ransomware, and found it very similar to the version it found in the spam campaign. “Only the overlay differs as it contains the data inputted by the builder’s user,” say the researchers. This possibly suggests that the builder has already been used by multiple individuals.

Advertisement. Scroll to continue reading.

The ransomware market is separating into two areas — those targeted against richer organizations (including the manually delivered SamSam and RobinHood variants), and those targeting consumers (often delivered by spray and pray spam campaigns). This is an example of the latter, although the spray and pray tactic could just as easily hit the inboxes of companies.

It is also an example of the growing market for malware as a service. Although there is no evidence from Trustwave that Cyborg is being distributed in this manner, nevertheless it gives anyone access to ransomware. All that is necessary for a Cyborg campaign would be access to the builder and the hire or development of spam distribution. As with all spam, the more convincing the associated email, the greater the likelihood of infecting victims.

Cyborg appears to be relatively new, with just the three samples found on VirusTotal. Simple Google searches provide little or no information on it, and there is no decryptor on the NoMoreRansom website. It could simply disappear as quickly as it has appeared, or — given the existence of a builder — it could be taken up and used extensively by spammers.

“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” say the researchers. “It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.”

Related: SamSam and GandCrab Illustrate Evolution of Ransomware 

Related: Raccoon Malware-as-a-Service Gains Momentum 

Related: The Growing Threat of Targeted Ransomware 

Related: Aircraft Parts Maker ASCO Severely Hit by Ransomware 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.