Security company Trustwave has recently discovered new trails of malicious programs that use e-mail to spread and pretend to be Windows Update to make devices infected with Cyborg ransomware. This is a very typical attack method, first sending an email to a potential target, which will contain fake Windows updates. The update seems to use the JPG file extension, which is actually an executable file that, once launched, downloads other payloads from GitHub.
The file bitcoingenerator.exe will be downloaded from misterbtc2020, a Github account which was active for a few days during our investigation, but is now removed. It is contained under its btcgenerator repository. Just like the attachment, this is .NET compiled malware, the Cyborg ransomware.
After the ransomware infected the device, the user files will be encrypted and renamed to use the “777” extension. At this point, the user file is locked and the ransomware places the text document on the desktop to provide the victim with instructions on how to obtain the decryption key.
Needless to say, the easiest way to protect yourself is to avoid opening suspect emails and downloading attachments. Updating security software can also help detect infected files and prevent ransomware from infecting your device.