Microsoft Windows users have narrowly avoided falling victim to a spam campaign that is spreading the Cyborg ransomware. The emails all have a single attachment which, they claim, is the latest security update from Microsoft.
The emails are easy to spot. They come with one of two subject lines:
- Install Latest Microsoft Windows Update now!
- Critical Microsoft Windows Update!
The email itself contains a single sentence:
PLease install the latest critical update from Microsoft attached to this email.
If the two capital letters doesn’t set alarm bells ringing how about Microsoft emailing an update? Or that the update appears to be a .jpg file? Or that the update is a mere 28KB in length?
Had the attack gone to plan, that jpg file would have been able to execute an attack on the end users computer. This would mean downloading the ransomware and encrypting all files, leaving them with the file extension of 777.
Unfortunately for the attackers, they messed it all up. The file doesn’t auto execute because they left it as just a .jpg file. That meant it couldn’t infect the users machine just by clicking on it.
The details of the attack are revealed in a blog by Diana Lopera.
What is the Cyborg ransomware?
According to Trustwave the Cyborg ransomware appears to be a new piece of malware. It is available via GitHub along with a utility to build your own version. To help wannabe cybercriminals, the creators have helpfully provided a YouTube video on how to do this.
That video talks about a preview free version 2019. Does this mean that the attackers plan to release a more potent version at a later date? That would not be unusual. Many malware factories do customised builds for customers. This allows them to vary the payload and monetise their work. It is usually a portion of the profits made from each campaign.
According to Lopera: “The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.”
Enterprise Times: What does this mean
Like a lot of spam messages and malware attacks, all the signs that this is as fake are out in the open. Using words with multiple capital letters, an attachment and the idea that a critical security update would be sent by email are all red flags.
Of more concern is the release of a builder that works. The reasons for the campaign failing range from incompetence to this being a test that leaked. It does not mean that we won’t see future campaigns that are more successful.