Fake Windows Update Delivers Cyborg Ransomware

A fake Windows Update spam campaign has been dropping the Cyborg ransomware. The mail delivery mechanism claims to come from Microsoft. It directs the potential victim to an attachment described as the ‘latest critical update’.

“The fake update attachment,” writes Trustwave (who discovered the campaign), “although having a ‘.jpg’ file extension, is an executable file. Its filename is randomized and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.”

If the attached file is clicked, it downloads the ultimate payload from Github. The file is named bitcoingenerator.exe contained under its btcgenerator repository. That’s ironic, because the file is really the Cyborg ransomware, and the only bitcoin generated is any bitcoin paid by the victim as ransom. In the sample ransom letter shown by Trustwave, the demand is for $500 in bitcoin.

The original name for bitcoingenerator.exe is syborg1finf.exe.

Cyborg (the name is provided in the malware’s ransom note, which states ‘ALL YOUR FILES ARE ENCRYPTED BY CYBOG RANSOMWARE’) is not a well-known ransomware. In order to get more knowledge, Trustwave searched VirusTotal looking for the original filename, syborg1finf.exe, and found three other samples of Cyborg. The file extension applied to encrypted files differs between the samples found on VirusTotal and the sample found by Trustwave. 

“This is an indication that a builder for this ransomware exists,” says Trustwave. “We search the web and encountered the Youtube video about ‘Cyborg Builder Ransomware V1.0 [ Preview free version 2019 ]’. It contains a link to the Cyborg ransomware builder hosted in Github.”

Trustwave used this builder to generate a new sample ransomware, and found it very similar to the version it found in the spam campaign. “Only the overlay differs as it contains the data inputted by the builder’s user,” say the researchers. This possibly suggests that the builder has already been used by multiple individuals.

The ransomware market is separating into two areas — those targeted against richer organizations (including the manually delivered SamSam and RobinHood variants), and those targeting consumers (often delivered by spray and pray spam campaigns). This is an example of the latter, although the spray and pray tactic could just as easily hit the inboxes of companies.

It is also an example of the growing market for malware as a service. Although there is no evidence from Trustwave that Cyborg is being distributed in this manner, nevertheless it gives anyone access to ransomware. All that is necessary for a Cyborg campaign would be access to the builder and the hire or development of spam distribution. As with all spam, the more convincing the associated email, the greater the likelihood of infecting victims.

Cyborg appears to be relatively new, with just the three samples found on VirusTotal. Simple Google searches provide little or no information on it, and there is no decryptor on the NoMoreRansom website. It could simply disappear as quickly as it has appeared, or — given the existence of a builder — it could be taken up and used extensively by spammers.

“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” say the researchers. “It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.”

Related: SamSam and GandCrab Illustrate Evolution of Ransomware 

Related: Raccoon Malware-as-a-Service Gains Momentum 

Related: The Growing Threat of Targeted Ransomware 

Related: Aircraft Parts Maker ASCO Severely Hit by Ransomware