Fake Windows Update Cyber Ransomware Delivers

Fake Windows Update

A bogus email project Windows Update removed the Cyborg ransomware. Microsoft wants to be the mail delivery system. This guides the potential victim to a file called the’ last important update.’

“Those fake updates are a randomized file with an executable file size of about 28 Kb. This executable file is a malicious.. NET downloader which will send more malware to the infected device.” If the attached file is opened, it downloads the ultimate payload from the Github network. The directory is called bitcoingenerator.exe which is in its btcgenerator folder. This is funny, because the file is actually Cyborg ransomware, and the only bitcoin generated is a bitcoin that the victim pays as a ransom. In Trustwave’s sample ransom note, the demand is $500 in bitcoin.

The original name is syborg1finf.exe for bitcoingenerator.exe.

Cyborg is not classified as a ransomware (a name given in the ransom notice of the malware which states:’ ALL YOUR FILES ARE ENCRYPTED BY CYBOG RANSOMWARE.’). To know more, Trustwave searched VirusTotal, syborg1finf.exe, for the original filename, to find three additional Cyborg samples. The file extension for encrypted files varies between the VirusTotal samples and the Trustwave sample.

“It’s an indicator of the existence of a developer for this ransomware,” Trustwave says. “We searched the website and found the Youtube video on’ Cyborg Builder Ransomware V1.0[ View free version 2019]. It includes a link to Github’s Cyborg developers of ransomware.” Trustwave used this developer for a new sample ransomware and noticed that it looked much like the version that it used in the spam project. “Only the overlay differs since it contains the information provided by the client of the developer,” the scientists say. This suggests that the builder has already been used by several people.

The ransomware market is divided into two categories–those that are aimed at rich companies (including SamSam and RobinHood manually distributed versions) and those that target users (often sprayed or prayed spam). This is an example of the latter, although the spray and prayer techniques might just as easily reach corporate containers.

It is also an indicator of the growing malware market as a business. While Trustwave does not indicate how Cyborg is distributed in such a way, it still gives everyone access to ransomware. The access to the developer and the hire or production of spam distribution would be all that is required for a Cyborg project. As with any spam, the more convincing the message is, the more likely the recipients are to become compromised.

Cyborg appears fairly new, with only the three VirusTotal samples. Simple Google searches provide little or no data, and the NoMoreRansom website has no decrypter. It could simply disappear as soon as it appeared, or–given a builder’s life–spammers could use it extensively.

“The Cyborg Ransomware can be designed and disseminated by anyone that takes the developer,” the researchers say. “It may be spammed with other themes and attached to evading e-mail gateways in different forms. An attacker can build the ransomware to use a known ransomware file extension to deceive the infected client of the ransomware identity.”


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.