Cyborg Ransomware was found being distributed via spear-phishing email campaign which contains a fake “Windows Update” email which appears as a ‘.jpg’ file in the email attachment, but is instead a ‘.exe’ binary file. It tries to tempt users to click on the malicious attachment file in order to download and launch the ransomware payload.

After the Cyborg Ransomware performs file encryption, it will drop ransom note named “Cyborg_DECRYPT.txt” as shown in Figure 1 and change the desktop wallpaper in Figure 2 below to the victim. Furthermore, it will create a copy of itself named as ‘bot.exe’ and tries to hide its persistence from the user by setting the file attributes as ‘Hidden’.

The builder of Cyborg Ransomware was previously found hosted on Github, but it has since been taken down. However, there may still be potential for Cyborg to be used by others by creating other variants of ransomware.

Figure 1: Screenshot of the ransom note

Figure 2: Screenshot of changed desktop wallpaper

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Cyborg Ransomware.

Behavioral Summary

Cyborg Ransomware is blocked and detected by existing policies within Carbon Black products. To learn more about further ransomware behavior, detection and protection capabilities within the Carbon Black suite of products against Cyborg ransomware, you may refer to the following blog post:

TAU-TIN – Ransomware Threats

In addition, CB Defense will display the malware’s overall triggered TTPs.

cy3.png999×143

cy4.png998×700

Remediation:

MITRE ATT&CK TIDs

Indicators of Compromise (IOCs)

The post Threat Analysis Unit (TAU) Threat Intelligence Notification: Cyborg Ransomware appeared first on VMware Carbon Black.

Article Link: https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-cyborg-ransomware/