In short, ransomware is a malicious software, which installs itself on victim’s computer and then, or after some time to mask its presence, it begins to encrypt your files. Your files are then encrypted and unusable till you pay ransom to attackers via Bitcoin or other cryptocurrency – and sometimes, attackers won’t send decryption key to unlock your files even if you pay, like in case of WannaCry ransomware. If ransomware detects you are trying to decrypt files, it will delete your files forever. In some countries, sending a ransom to attacker is illegal, because it’s treated as co-working with criminals.
Creators of ransomware Cyborg are sending fake e-mails under Microsoft’s domain. Faking sender’s e-mail address is really easy, I will try to explain it in very fast way. When you are sending an e-mail via web form, you can type any e-mail address as your e-mail address. If you type e-mail address “firstname.lastname@example.org”, receiver of your e-mail from web form will see as sender “email@example.com”. There are ways how to easily spot by this way faked e-mail, but to be honest, how many common users are deeply checking origin and trace of every e-mail? Of course, if you are skilled in PHP, you can create very sophisticated script, not just “one-time e-mail faking service”, to prank your friends or to send ransomware, as Cyborg’s creators did.
As first, I want to say, that Microsoft never sends updates/link to updates via e-mails. If you are only using official ways to update your Windows operating system, you are safe against this variant of attacks.
Attackers are using e-mail subject “Install Latest Microsoft Windows Update now!” or “Critical Microsoft Windows Update!”. Attackers claim that system updates are inside e-mail as attachement. It’s a file with size about 28 kB and it’s using .jpg extension (filename is randomized), so it looks like a picture, but in reality, it’s an executable .NET downloader. After launching, it will download and install “bitcoingenerator.exe” and this executable file contains ransomware Cyborg. After this, your files will be encrypted using .777 extension. Attackers want from you to pay them 500 USD in bitcoins. Cyborg will keep copy of itself on root folder of your disk.
Malicious file was hosted on GitHub by user “misterbtc2020” under his “btcgenerator” repository. This account was created recently and currently this account is suspended, but that doesn’t mean it will stop spreading this ransomware – attackers need to create another account (or to use another hosting service) and to update their faked e-mail with attached malware.
Experts from Trustwave analyzed this malicious piece of software. In file properties, as original name was set “syborg1finf.exe” and they searched for it in VirusTotal database. Experts were able to obtain 3 other samples of this ransomware. The file extension these Cyborg ransomware samples will append to the encrypted files varies as observed from the samples found on VirusTotal. This is an indication that a builder for this ransomware exists.
In real World, this ransomware can be created and spread by anyone who gets hold of the builder. Different subjects of e-mail and different forms of e-mail may be used to bypass e-mail gateways. Also, new variants may not use .777 extension for encrypted files, avoiding simple detection of origin of the ransomware.