Fake Windows update (Hidden Ransomware) 

LIFARS Cyber Incident Response Team provides customized response after Ransomware and Cyber Extortion Incident

Ransomware has developed into a ‘criminal malware of choice’ in recent times, especially when it comes to hitting local government systems or big user environments. A new ransomware has been haunting the windows users with its notorious way of entering the system. This spam email attacker has been covering windows 10 users with its malicious email containing an executable file disguised as a JPG, leading not only to ransomware but also its variants. 

How to identify the Ransomware? 

The fake windows update installs ransomware on PC’s where the user receives the emails claiming to be from Microsoft. This email can be easily identified as spam by a technical person, but these are a source of danger to non-technical crowds using windows 10 for their business or any personal use. One such group of emails claims to be from Microsoft, advising the Windows 10 user to update the operating system while the action performed by the user on this email installs a ransomware. Computer researchers discovered that spam emails are sent to Users which come with an Install latest Microsoft windows update now or critical Microsoft windows update with Subject. As very familiar with Microsoft working culture, any technical person would understand that Microsoft doesn’t send out its updates through emails. 

How does “Fake windows update with Cyborg ransomware” work? 

Researchers identified “Cyborg ransomware” which attacked all windows 10 users through an executable file sent on a spam email. 

These spam messages contain just one sentence and the first word begins with two capital letters, making it appear even less legitimate. The Message included in this email was  

“PLease install the latest critical update from Microsoft attached to this email”. 

This spammed email was a little fuzzy with 2 subject lines, making it more suspicious for the users. The subject lines in the spam mails are as below   

   Install Latest Microsoft Windows Update now! 

    Critical Microsoft Windows Update! 

In these emails, recipients are asked to click an attachment and download the update, where the file has a jpg extension and has a file size of about 28KB. Although this file has a jpg extension with a random name, yet it is originally an executable dot net downloader file that delivers malware to the infected system. Clicking on this file leads to an automatic act of downloading another executable file which is known as “Cohen generated.exe”. This file is a dot net compiled malware also known as the famous “Cybord Ransomware”. 

As with other ransomware, bitcoingenerated.exe encrypts users files and changes their extension to its own 777. The ransomware also leaves a copy of a self executable file called bot.exe concealed at the root of the infected file. Victims then find the ransom note under the file named cyborg_decrypt.text on their desktop, demanding $500 to decrypt the files. 

When the researchers looked for the ransomware’s original file name, they discovered three more samples which confirmed the presence of the ransomware attacker. Also a YouTube video was found containing a link to the builder hosted in Github, containing two repositories, one with the ransomware builder binaries and the other with a Russian version of the builder. 

“This is a very common type of phishing attack — where the attacker tries to convince the target to open a malicious attachment,” Karl Sigler, threat intelligence manager of Trustwave SpiderLabs, said in an email.  

“Windows users should understand that Microsoft will never send patches via email, but rather use their internal update utility embedded in every current Windows operating system. Users should always be wary of any unsolicited emails, especially those that present urgency to open attachments or click on links.”