In a blog post, Trustwave's Diana Lopera said the subject lines on the emails were either " Install Latest Microsoft Windows Update now!" or "Critical Microsoft Windows Update!"
The email had an attachment with a .jpg extension which was actually a Windows executable. This then downloaded a second executable file hosted on the Microsoft-owned GitHub.
"The file bitcoingenerator.exe will be downloaded from misterbtc2020, a Github account which was active for a few days during our investigation, but is now removed," Lopera said.
The ransomware would then encrypt the user’s files and append to their filename its own file extension - 777.
The ransom note, as usual placed on the user's desktop, asked for US$500 in bitcoin to be sent to a certain wallet.
Having found that the file extensions generated by these Cyborg samples differed, Trustwave researchers searched for the builder used to generate the malware. They found a YouTube video that linked to the builder that was hosted on GitHub.
"The GitHub account Cyborg-Ransomware was newly created too. It contains two repositories: Cyborg-Builder-Ransomware, and Cyborg-Russian-version," Lopera wrote.
"The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the builder hosted at another website."