Cybercriminals are smart and lethal. They understand the necessity to find out new disguise to spread malware and ransomware more convincingly. And the latest instance is the recent campaign for escalating cyborg ransomware, via legitimate-looking Windows update.

Trustwave unfolds process

Security experts of Trustwave have discovered the process as to how they are reaching the targets via phishing emails. According to the researchers, the phishing email befools the users through a legitimate-looking email from Microsoft, asking them to install a critical update. For convincing the potential targets, the email carries a subject line reading, 'Install Latest Microsoft Windows Update now!' or 'Critical Microsoft Windows Update!'

Don't fall for one-liner about critical update

The email has a one-liner alongside an image in its body mentioning, "Please install the latest critical update from Microsoft attached to this email". The picture, in reality, is an executable file, but masquerading with a '.jpg.' extension. Upon executing the .NET compiled executable file, it infects the victim's machine by installing the cyborg ransomware.

windows 10 pro
Microsoft

The malware executable dubbed 'bitcoin generator.exe' is already up in GitHub via an account with the name misterbtc2020. The ransomware encrypts all the files in the system with an extension, '.777., ' alongside leaving a ransom note. It also keeps a copy of itself in the victim's machines root folder. The attackers usually ask the ransom in the form of cryptocurrency, within a deadline. If the victim fails to pay within the period, the criminals typically ask double the money or delete entire data.

After paying ransom money

If the victim pays the ransom money, the attacker may (or may not) return the encryption key.
A word of caution for the uninitiated: In reality, all operating system developers send update notification directly on users desktop via pop-ups or system notification. Microsoft never sends any of its updates via emails.