Trustwave researchers said yesterday that spammers are using fake Windows Update emails to spread a ransomware called Cyborg to unsuspecting victims.
The scheme couldn't have come at a better time. Microsoft released the Windows 10 November 2019 Update earlier this month, but people had to manually install it until yesterday, when it was made available automatically through the operating system's Update Assistant. Before then, it was more likely for people who heard the update was released but hadn't yet installed it to trust these malicious emails.
The spammers needed all the help they could get. They had great timing, yes, but Trustwave said their scam relied on a one-line message reading, "PLease install the latest critical update from Microsoft attached to this email." We doubt many people would normally believe that Microsoft would a). inform them of a new Windows update via such a short email or b). fail to spot the double capitals in "please" if it did.
Trustwave said the "fake update attachment, although having a '.jpg' file extension, is an executable file," which is another strike against the spammers. Why would Microsoft deliver a Windows update via an image file? And, if it did, why would it use a randomized file name for a file that only contains around 28KB worth of data? If Windows updates were that small they wouldn't take nearly as long to install.
Anyone who viewed this fake Windows update was treated to a .NET downloader that would retrieve the Cyborg ransomware from a GitHub account that has since been deactivated. Trustwave said this ransomware would "encrypt the infected user’s files and append to their filename its own file extension, in this case, a ‘not-so-lucky’ 777." A ransom note would then appear on the victim's Windows desktop.
Here's how Trustwave summarized its findings:
"The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware."
This is just the latest example of an attack that can be thwarted with just a little bit of technical literacy. To summarize: don't believe poorly presented messages purportedly sent by Microsoft that claim there's a critical Windows update available, don't open attachments from suspicious emails and don't be surprised when a 28KB file with a random name claiming to be a JPG isn't actually a new version of Windows.