Cyborg Ransomware spreading via fake Windows update

Cyborg Ransomware is the latest Ransomware that has been identified by researchers to target Windows-based systems and it is currently spreading through fake emails about a Windows update with the subject line that reads, “Critical Microsoft Windows Update!”. 

Cyborg Ransomware

The email poses as a one that has been sent by Microsoft is clearly fake which could be easily identified by the improper formatting, lack of official headers or logos and also the fact that Microsoft never sends critical updates over email to its users.

The Ransomware is embedded into the fake update attachment included in the email, which is apparently an executable file with a .jpg extension. The file has been given a randomly generated name and its approximately 28KB in size. The executable file’s purpose is to deliver a Malware to the target system, which according to the code of the Cyborg Ransomware is another executable file downloaded from GitHub.

Also Read: Purelocker Ransomware: Working and Evasion Techniques 

How the Cyborg Ransomware Works:

As mentioned earlier, the main part of the Cyborg Ransomware is the attachment sent in the fake Windows update email. Once the victim of the targeted system clicks on or opens the attachment in the email, it will download an executable file containing the malware from the GitHub website. The file that was downloaded was named as bitcoingenertor.exe and it was supposedly downloaded from the account misterbtc2020, which has now been removed from GitHub.

Once the Cyborg Ransomware embedded in the file bitcoingenerator.exe has been downloaded to the targeted system, it will then start encrypting all the data files in the victim’s system and add the extension .777 to the encrypted files. The memory dump of the Ransomware file with the list of file extensions to encrypt is given below.

Cyborg Ransomware

Once all the data files in the target system have been encrypted by the Cyborg Ransomware, it then leaves a ransom note in the form of a text file named, Cyborg_DECRPT.txt on the desktop of the target system. The Ransom note instructs the victim to send a Ransom of $500 in the form of bitcoins to the provided wallet and to send an email to the provided email id to be able to get the decryption key to decrypt all the files in the victim’s system that has been encrypted by the Cyborg Ransomware.

How to protect yourself:

While the most common way the Cyborg Ransomware is currently spreading across Windows systems is through a fake email prompting the targeted users to install a critical Windows update by sending an attachment, there are also other ways through which the Cyborg Ransomware might make its way to your system.

Basically anyone who gains access to the Ransomware builder file from the GitHub repository or from other means could build their own version of the Cyborg Ransomware and then either embed it to an attachment and send it to you as an email with different contents or even attach it to a link and attempt to spread it through malvertising methods.

Either way, it is important that you protect yourself from these kinds of Ransomware and it is always recommended that you regularly backup all your important files and keep both a local copy and a one stored in the cloud. Also, do not click on any attachments or open emails from suspicious senders or visit shady websites that might be a target of malvertising.

Even Microsoft has released an official set of guidelines and preventive measures you could take to stay away from the Ransomware. You could view those guidelines here.

Technology and Cybersecurity Enthusiast with a passion for writing and sharing knowledge. Podcasts occasionally and loves to keep watching the same TV series over and over again during my free time.