Fake Windows Update Infects Windows Systems With Cyborg Ransomware LINK

Cybersecurity experts have identified a spam campaign capable of infecting systems with Cyborg ransomware. The attack is made via a fake Microsoft email that outlines an important update for the Windows operating system.

Fake Windows Update Infects Windows Systems with Cyborg Ransomware

Microsoft updates are a vital part of keeping a Windows operating system safe and secure against ransomware, which makes the technique of this recent spam campaign especially cunning. Threat researcher for Webroot, Kelvin Murray, commented that along with causing short-term damage, fake updates can undermine the overall confidence users have in updating and lead to weaker levels of security.

The cyber-criminals are currently trying to con users into downloading the Windows 10 fake update ransomware under the guise of a crucial system upgrade from Microsoft. It has been determined that the most common email subject lines for this attack are as follows:

If you have already downloaded the Windows 10 fake update attachment, the first step is to alert your IT department or team member in charge of IT. Often times, ransomware is outside the scope of an internal IT team member. It is always a good idea to seek the help or consultation of an IT Services Company. They can help you with remediation as well as offer prevention methods unique to your business.

Another proactive step you can take is to partner with a Managed IT Services company that can provide you with Patch Management as a service. Patch Management is the process of keeping your network systems and security updated. Outdated systems are more susceptible to attacks, making it critical to keep all of your systems up to date and working at peak performance.

The dangerous Windows 10 update was discovered by the security researchers at Trustwave's SpiderLabs. According to their findings, the nefarious update is designed to infect your Windows 10 machine with the Cyborg ransomware.

To break the news, an ongoing malicious campaign was found sending fake Windows Update emails to install ransomware. It is definitely interesting to see how well the story fits in. With Microsoft Patch Tuesday Updates released recently, it hardly seems suspicious to receive an alert about installing a missing update on Windows.

We advise Microsoft Windows users to be extremely cautious while opening any attachments received through emails. While it is important to keep your systems up-to-date with the latest patches, it would also be crucial to install updates from a legitimate source. Please install verified Microsoft Windows updates using SanerNow.

There are many spam campaigns that cyber criminals employ to infect computers with malware. In this case, cyber criminals send emails disguised as messages from Microsoft regarding a 'critical' or 'latest' Windows update. A .jpg file, which is actually an executable [.exe]) attached to the emails, supposedly infects systems with Cyborg ransomware if opened.

A message within this spam campaign encourages recipients to install the latest critical update from Microsoft through the image (.jpg) file, which is attached to the email. At the time of research, this file did not install Cyborg ransomware even after changing its extension to that of an executable file (.exe).

Third party 'cracking' (activation) tools that supposedly activate software free of charge should be avoided. They are illegal and often distribute malware. Installed software and operating systems should be updated through implemented functions or tools designed by official software developers. Other, third party tools can lead computer infections with malicious software.

The threat first was spotted at the beginning of November, but the particular Cyborg ransomware virus campaign that reportedly[1] involves .777 file marker and those emails with Windows 10 updates, was discovered in the middle of the same month. When malware is done encoding files, it deletes itself, places a copy of the virus as a file bot.exe in the root of the infected device, and a typical ransom note file in the text file named Cyborg_DECRYPT.txt on the desktop and in various folders with affected data. The message is generated for virus victims, so they can know what to do next. Unfortunately, the option malware creators suggest involves paying the ransom for the alleged decryption tool that is not the best solution, as previous incidents show.[2]

Cyborg ransomware gets dropped when spam campaign tricks people into script delivery by claiming that the email is sent from Microsoft officials and encourages to install the latest Windows 10 update. The fake update attachment is an executable file even though .jpg file extension is on the filename. In reality, the malicious .NET file is an executable that downloads malware on the infected system and triggers a file encryption process.

Don't fall victim to scamming campaigns by paying close attention to processes and learning to look for red flags. Targeted users in various campaigns receive emails with either the subject line about financial information or, in this case, windows update message.

In late 2018, Ryuk burst onto the ransomware scene with a slew of attacks on American news publications as well as North Carolina's Onslow Water and Sewer Authority. In an interesting twist, targeted systems were first infected with Emotet or TrickBot, two information stealing Trojans now being used to deliver other forms of malware like Ryuk, for instance. Director of Malwarebytes Labs, Adam Kujawa speculates that Emotet and TrickBot are being used to find high-value targets. Once a system is infected and flagged as a good target for ransomware, Emotet/TrickBot re-infects the system with Ryuk.

The botnet uses fake, pirated software installer archives to download the spyware on targeted systems, with two variants identified. The one version came via the Glupteba botnet, which compromised Windows and IoT devices.

10. Hidden Ransomware: Increasingly, cybercriminals send readers instructions to install urgent Windows OS updates. However, those updates include .exe files with ransomware known as Cyborg.

Bad Rabbit, a drive-by exploit, works by spreading a fake Adobe Flash installer that victims themselves install. The bad Flash installer comes from an array of websites your end users may visit. Like most ransomware, Bad Rabbit is based in part on a previous exploit, in this case sharing code with ExPetr ransomware, and may come from the same attacker.

January 2012 - The cybercrime ecosystem comes of age with Citadel, a toolkit for distributing malware and managing botnets that first surfaced in January 2012. Citadel makes it simple to produce ransomware and infect systems wholesale with pay-per-install programs allowing cybercriminals to pay a minimal fee to install their ransomware viruses on computers that are already infected by other malware. Due to the introduction of Citadel, total infections surpassed 100,000 in the first quarter of 2012.

July 2013 - Svpeng: This mobile Trojan targets Android devices. It was discovered by Kaspersky in July 2013 and originally designed to steal payment card information from Russian bank customers. In early 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for Lookout, a San Francisco-based mobile security firm, 900,000 phones were infected in the first 30 days.

Late April 2016 - Scary New CryptXXX Ransomware Also Steals Your Bitcoins. Now here's a new hybrid nasty that does a multitude of nefarious things. A few months ago the 800-pound Dridex cyber gang moved into ransomware with Locky, and now their competitor Reveton follows suit and tries to muscle into the ransomware racket with an even worse criminal malware multitool. At the moment CryptXXX spreads through the Angler Exploit Kit which infects the machine with the Bedep Trojan, which in its turn drops information stealers on the machine, and now ads professional grade encryption adding a .crypt extension to the filename. Here is a graph created by the folks of Proofpoint which illustrates the growth of new strains in Q1, 2016:

May 2016 - Petya comes loaded with a double-barrel ransomware attack. If the initial overwriting the master boot record does not work, they now have an installer that offers Petya and a backup "conventional" file-encrypting strain called Mischa. ProofPoint Q1-16 threat report confirms that Ransomware and CEO Fraud dominate in 2016. A new Version 4 of DMA Locker comes out with weapons-grade encryption algorithms, and infects machines through drive-by downloads from compromised websites. In a surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key.

The City of Atlanta was infected with SamSam ransomware, and had a bitcoin demand of $51,000 to unlock the entire system. The infection affected several internal and customer-facing applications, such as the online systems that residents used to pay city bills or access court documents. A total of $2.6 million has been set aside for emergency recovery efforts, and that doesn't include the ransom. This strain is believed to have the ability to get access to systems and wait weeks before an attack, making it easier to strike twice. That's exactly what happened when the Colorado DOT was infected with SamSam at the beginning of the month.

Another victim of a Ryuk ransomware attack, Lake City, Florida, paid $500,000 to decrypt over 100 years' worth of city records. IT staff disconnected their systems within 10 minutes of infection, however the malware affected almost their entire network. The county's IT Director was blamed for failing to secure the network and taking too long to recover the data, he lost his job.