If you receive an email telling you to update Windows, don't press on it.
Security researchers at Trustwave's SpiderLabs (opens in new tab) discovered a ransomware campaign spread through phishing emails that trick people into thinking they need to update their Windows PCs.
Ransomware is a nasty form of malicious software that locks down a computer until a ransom is paid. Attackers take control of a computer, typically by tricking people with phishing scams, then block access to specific data or an entire system. Recovering a system is a difficult task, and either requires a recovery specialist or for the victim to pay a ransom fee.
In this case, an email is being sent around claiming to be from Microsoft. It contains the headline "Critical Microsoft Windows Update!" and a single sentence, "Please install the latest critical update from Microsoft attached to this email."
The attachment doesn't contain any Windows update. Instead, it's a malicious .NET downloader that delivers malware to infect a system. Trustwave told BleepingComputer (opens in new tab) that the spam campaign was not targeted but was sent to recipients all around the world.
SpiderLabs discovered that the 28KB ".jpg" attachment called "b1jbl53k" will run a now-defunct executable file from Github called "bitcoingenerator.exe." This was designed to plant a malicious seed in the system that encrypted users' files then adds an eerie "777" file extension to them.
However, BleepingComputer found that the attackers seemingly made a mistake by distributing the malware as a .jpg file. So instead of executing properly and encrypting files, the malicious app simply opens a Photo viewer with the error "file appears to be damaged, corrupted, or is too large."
Trustwave doesn't know why the attackers used this file extension with the ransomware but warns that it can still be opened via the command line with Admin privileges. At that point, a ransom note called “Cyborg_DECRYPT.txt” is left on a machine.
"The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder," security researcher Diana Lopera at Trustwave wrote in a blog post (opens in new tab). "It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware."
It's not clear how many users have been affected by the ransomware campaign but Trustwave found three other variants of it and a YouTube video explaining how it works. The security company even uncovered two Github repositories named "Cyborg-Builder-Ransomware" and "Cyborg-russian-version."
The Cybersecurity and Infrastructure Security Agency (CISA) lists ways (opens in new tab) of protecting yourself against these sorts of campaigns. The best practices include never clicking on links or opening attachments to unsolicited emails, backing up data regularly, and updating software and operating systems to the latest versions.
Microsoft doesn't send software updates through emails --- it uses notifications directly through Windows OS --- so be suspicious of any emails claiming to be from the company.