An executable file disguised as a .jpg leads not only to ransomware but also its builder, which can be used to create variants.

A malicious spam campaign that informs victims it contains a “critical Windows update” instead leads to the installation of Cyborg ransomware, researchers have found. Further, they were able to access its builder, which can be used to create malware variants.

The email-based threat, discovered recently by researchers at Trustwave, is unique in a few ways, researchers unveiled in a blog post on Tuesday. For instance, the attached file purports to be in .jpg format, even though it opens an .exe file.

Another unique aspect is that the emails contain a two-sentence subject, “Install Latest Microsoft Windows Update now! Critical Microsoft Windows Update!”— but it has just one sentence in its email body, researchers said. Typically, malicious emails include a longer, socially engineered message intended to lure victims into clicking malicious files.

But perhaps the most crucial element of the analysis is that the Cyborg ransomware creators also left a trail from the executable that led researchers to discover the malware builder hosted on the Github developer platform.

“The 7Zip file ‘Cyborg Builder Ransomware V 1.0.7z’ from Cyborg-Builder-Ransomware repository was uploaded two days before Github account misterbtc2020 hosted the Cyborg ransomware executable,” according to the post. “It contains the ransomware builder ‘Cyborg Builder Ransomware V 1.0.exe.'”

This adds a new dimension to the attack, Karl Sigler, threat intelligence manager for Trustwave SpiderLabs, told Threatpost in an email interview.

“Ransomware has been widely used to attack different organizations and governments and having it and its builder hosted on a software development platform Github is significant,” he told us. “Anyone can grab a hold of it and create their own Cyborg ransomware executable.”

The fake Windows Update email has typical hallmarks of malicious spam, which is how researchers originally identified it, Sigler told Threatpost. The suspicious subject line combined with “an executable attachment, not encased in an archive and with a .jpg extension,” made its intent pretty obvious, he said.

“Spoofing the file extension of an executable file is a common trick to evade email gateways,” Sigler told Threatpost. “We have seen this before, and so heuristics detections are in place for this kind of behavior.”

Researchers informed Github at around 5:00 pm Central Time on Sunday, Nov. 17, that there is an account hosting the Cyborg ransomware and its builder on its platform, Sigler said. That report is “still under processing,” he told us, and the account hosting the malware was still active as of the time this article was written.

At this time, the Cyborg spam threat seemed to have abated, as researchers see no more evidence of the downloader being sent via email. However, the potential remains for variants to be created from the Cyborg builder, since it’s still available on Github, Sigler said, noting that “a handful of Cyborg ransomware” already has been submitted to VirustTotal.

“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” according to the post. “It can be spammed using other themes and be attached in different forms to evade email gateways.”

Ransomware on the whole is a persistent and growing, with bad actors finding new and creative ways to lure and attack victims. Research released last month said security experts expect ransomware to surge in 2020, especially campaigns that specifically target their victims.

While the Cyborg attack seemed to have had no apparent target, Sigler said, there has been recent evidence that this prediction already is coming true. Last week, SmarterASP.NET, a popular web hosting provider, was hit with a targeted ransomware attack that took down its customers’ websites hosted by the company.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.