One such campaign claims to be from Microsoft, advising people to update Windows, but doing so will install ransomware on a computer.

Researchers from Trustwave’s SpiderLabs discovered the spam emails, which come with an ‘Install Latest Microsoft Windows Update now!’ or ‘Critical Microsoft Windows Update!’ subject line. Microsoft, of course, doesn’t send out Windows updates through email.

The messages contain just one sentence, and the first word begins with two capital letters, making it appear even less legitimate. Recipients are asked to click an attachment to download the ‘update.’ While the file has a .jpg extension, it’s actually an executable .NET downloader that delivers malware to the infected system.

Clicking on the file will download another executable, this one called bitcoingenerator.exe from a (now-removed) Github account named misterbtc2020. Like the email attachment, this is .NET compiled malware—the Cyborg ransomware.

As with other ransomware, bitcoingenerator.exe encrypts users’ files and changes their extension to its own: 777. The ransomware also leaves a copy of itself called ‘bot.exe’ hidden at the root of the infected drive.

Victims will then find a ransom note named “Cyborg_DECRYPT.txt” on their desktop, which demands $500 to decrypt the files.