Fake ‘Windows Update’ Installs Ransomware

Fake ‘Windows Update’ Installs Ransomware

You’ve Got Mail

An executable file disguised as a Windows Update has been dropping the new Cyborg ransomware. The delivery mechanism claims to originate from Microsoft; however, it directs the victim to an image attachment described as the ‘latest critical update’.

The email-based threat, discovered by researchers at Trustwave, is unique in various ways, unveiled in a blog post on Tuesday. One such example is that the attached file appears to be in a .jpg format, even though it executes as an .exe file.

An interesting aspect is that the emails contain a simple subject: “Install Latest Microsoft Windows Update now! Critical Microsoft Windows Update!” – but it has only a single sentence in the body, researchers stated. Typically, malicious emails include more data, socially engineered to lure the victims into clicking the malicious files.

“The fake update attachment,” writes Trustwave, “although having a ‘.jpg’ file extension, is an executable file. Its filename is randomized and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.”

How Cyborg Ransomware Works

It’s been stated that if the attached file is clicked, it downloads the malicious payload from Github. The file is named bitcoingenerator.exe contained under its btcgenerator repository. Ironically, the file is the Cyborg ransomware and the only bitcoin generated is any cryptocurrency paid by the victim as ransom. In the sample ransom letter provided by Trustwave, the demand is for $500 in bitcoin.

The original name for the generator ‘bitcoingenerator.exe’ is ‘syborg1finf.exe’.

Trustwave then searched VirusTotal looking for the original filename, syborg1finf.exe, and found 3 separate examples of Cyborg. The supposed file extension applied to encrypted files differs between the samples found on VirusTotal and the sample found originally by Trustwave.

“This is an indication that a builder for this ransomware exists,” stated Trustwave. “We search the web and encountered the Youtube video about ‘Cyborg Builder Ransomware V1.0 ’. It contains a link to the Cyborg ransomware builder hosted in Github.”

Trustwave then used the builder to generate a new sample ransomware, finding it very similar to the version it found in the spam campaign: “Only the overlay differs as it contains the data inputted by the builder’s user.”

Ransomware on the Rise

Ransomware has clearly increased over the past years, now growing ‘fastest’, according to ZDNet. Tech security company Bitdefender analyzed Windows security threats including the dreaded ransomware, but also coin miners, fileless malware, PUAs (‘potentially unwanted applications’ that can compromise privacy or security), exploits (attacks based on unpatched or previously-unknown vulnerabilities) and banking Trojans.

In their findings, Bitdefender reports that ransomware saw the biggest year-on-year increase – a whopping 74.2%. Ransomware also (scarily) ranked first in terms of the total number of reports.

Interestingly, the number of ransomware reports actually dropped during the first half of 2019, largely because the group behind the GandCrab ransomware throttled down their operation. But since then, ransomware reports grew again as new ransomware has emerged to fill the void left by GandCrab (it’s also very possible the same group has restarted operations).

“The fall of GandCrab, which dominated the ransomware market with a share of over 50 percent, has left a power vacuum that various spinoffs are quickly filling. This fragmentation can only mean the ransomware market will become more powerful and more resilient against combined efforts by law enforcement and the cybersecurity industry to dismantle it,” the report said.

Mac Ransomware Matters

Ransomware attacks are clearly on the rise and can affect any device. ZDNet stated that all this focus on Windows means that malware writers have little time for Macs—or at least those owned by the average computer user.

“With Windows remaining a lucrative battlefront, there is little incentive for malware authors to invest time and resources to develop mass-market Mac-centric threats, focusing mostly on advanced and sophisticated threats designed for C-level executives and decision makers,” the report elaborated.

Ransomware may be scarce on macOS, but it has been “easily” targeted by ‘cryptojacking’ operations, attacks using known vulnerabilities, and ‘potentially unwanted applications’.

Recent Ransomware Strikes

Hundreds of veterinary locations (National Veterinary Associates) were hit with the Ryuk ransomware. Earlier this month, the state of Louisiana revealed that multiple state servers were targeted and compromised, and back in August, 23 local governments in Texas were hit with ransomware in one single incident.

Organizations are not adhering to current standards to prevent these types of malicious attacks. Syxsense Manage and Syxsense Secure can easily resolve vulnerabilities across an entire environment. A combination of strict security standards and proper offline backups, paired with a secure systems management and security solution, will ensure that organizations are not affected by rising ransomware and other malware events.

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.