Cyborg Ransomware spreading via fake Windows update

Cyborg Ransomware spreading via fake Windows update

Cyborg Ransomware is the latest Ransomware that has been identified by researchers to target Windows-based systems and it is currently spreading through fake emails about a Windows update with the subject line that reads, “Critical Microsoft Windows Update!”. 

Cyborg Ransomware

The email poses as a one that has been sent by Microsoft is clearly fake which could be easily identified by the improper formatting, lack of official headers or logos and also the fact that Microsoft never sends critical updates over email to its users.

The Ransomware is embedded into the fake update attachment included in the email, which is apparently an executable file with a .jpg extension. The file has been given a randomly generated name and its approximately 28KB in size. The executable file’s purpose is to deliver a Malware to the target system, which according to the code of the Cyborg Ransomware is another executable file downloaded from GitHub.

Also Read: Purelocker Ransomware: Working and Evasion Techniques 

How the Cyborg Ransomware Works:

As mentioned earlier, the main part of the Cyborg Ransomware is the attachment sent in the fake Windows update email. Once the victim of the targeted system clicks on or opens the attachment in the email, it will download an executable file containing the malware from the GitHub website. The file that was downloaded was named as bitcoingenertor.exe and it was supposedly downloaded from the account misterbtc2020, which has now been removed from GitHub.

Once the Cyborg Ransomware embedded in the file bitcoingenerator.exe has been downloaded to the targeted system, it will then start encrypting all the data files in the victim’s system and add the extension .777 to the encrypted files. The memory dump of the Ransomware file with the list of file extensions to encrypt is given below.

Cyborg Ransomware

Once all the data files in the target system have been encrypted by the Cyborg Ransomware, it then leaves a ransom note in the form of a text file named, Cyborg_DECRPT.txt on the desktop of the target system. The Ransom note instructs the victim to send a Ransom of $500 in the form of bitcoins to the provided wallet and to send an email to the provided email id to be able to get the decryption key to decrypt all the files in the victim’s system that has been encrypted by the Cyborg Ransomware.

How to protect yourself:

While the most common way the Cyborg Ransomware is currently spreading across Windows systems is through a fake email prompting the targeted users to install a critical Windows update by sending an attachment, there are also other ways through which the Cyborg Ransomware might make its way to your system.

Basically anyone who gains access to the Ransomware builder file from the GitHub repository or from other means could build their own version of the Cyborg Ransomware and then either embed it to an attachment and send it to you as an email with different contents or even attach it to a link and attempt to spread it through malvertising methods.

Either way, it is important that you protect yourself from these kinds of Ransomware and it is always recommended that you regularly backup all your important files and keep both a local copy and a one stored in the cloud. Also, do not click on any attachments or open emails from suspicious senders or visit shady websites that might be a target of malvertising.

Even Microsoft has released an official set of guidelines and preventive measures you could take to stay away from the Ransomware. You could view those guidelines here.

Purelocker Ransomware: Working and evasion

Purelocker Ransomware: Working and evasion

Purelocker Ransomware is the latest Ransomware in town and it seems to be designed to specifically target production servers at the enterprise level. The Purelocker Ransomware was detected last week by researchers at Intezer and IBM X-Force.

Upon analysis, they have identified that the Ransomware has been used by Cobalt Gang and FIN6 among other threat groups mainly targeting Windows and Linux based servers. The name Purelocker has been assigned to this Ransomware as it has been written completely using a programming language called Purebasic.

Purebasic is a pretty uncommon programming language but the choice of this particular language by the attackers has to do with the fact that the code written using Purebasic is compatible across multiple platforms like Windows, Linux, and macOS, making it easier for the attackers to target multiple operating systems at once.

Also, since the Purebasic programming language is not that common or popular, the Antivirus companies are finding it difficult to generate reliable and accurate detection engines and signatures to be able to detect the Purelocker Ransomware. This is also part of the reason why the Ransomware went undetected even after being active for several months.

Detection process:

According to the researchers, the initial process involved in analyzing a Windows Sample of the Purelocker Ransomware and they have identified it to be a 32-bit DLL file which was posing as a C++ based cryptography library called Crypto++. The researches become suspicious as some of the functions in the library were related to music playback and controls.


Evasion Techniques:

As mentioned earlier, the Purelocker Ransomware managed to stay undetected by popular Anti Virus engines for the first few weeks after its attack. The attackers managed to stay under the radar by using the Purebasic programming language to write the ransomware instead of using some popular programming language which is widely popular and has several detection signatures already available.

Also, the attackers behind the Purelocker Ransomware has programmed it so that it will only begin its execution in its target attack system after ensuring that it is not being analyzed or used for debugging by anyone. If that is not the case, the Ransomware would automatically exit itself from the target system, without even deleting itself.

The Ransomware also executes from the regsrv32.exe, so it verifies that it is indeed executed by the process, and also that the current year on the target system is 2019 and that it has administrator rights on the system. If any of these checks fail, the ransomware would immediately exit the system as mentioned above, so as to not leave any traces of its functionality or working.

Working of Purelocker Ransomware:

Once the Ransomware performs all the verification checks on the target systems and if it gets the desired results, it will start working by first encrypting all the files on the target system with the AES+RSA combination using a hardcoded RSA Key.

The Ransomware mainly executes the data files on the system with .CR1 extension and it mostly ignores the executable files in the target system. It then proceeds to delete all the originals of the files it has encrypted to prevent the user from performing file recovery. Finally, it leaves a ransom note as a text file in the user’s desktop with the name, YOUR_FILES.txt.


While, a traditional Ransomware includes the information about how much Ransom the attackers want the victims to send to them and the means to send that, which is typically a bitcoin-based transaction, the attackers behind the Purelocker Ransomware has instructed the victims to contact them via email instead.

They also seem to use an anonymous and encrypted email service provider for this purpose with different email addresses for each of the victims. Once the attackers communicate with the victims and get their desired ransom amount, they then send the decryption keys to the victims using the same email addresses they have provided for contacting them.

Unconventional ways of Purelocker Ransomware:

Right from using an unconventional programming language like Purebasic to code the Ransomware, its evasion technique, and even the way the Ransomware functions and collects the Ransom from the victims, it is clearly evident that this is different in a lot of ways from the Ransomware that usually are talked about in the news.

This clearly shows that the attackers behind this Ransomware are rapidly improving and innovating the ways they use to perform targeted attacks. Therefore, it is important, now more than ever, for us to focus more on the security of our systems and try to be as safe as possible with our data and devices.