Fake Windows 10 updates are being used to spread the Magniber ransomware strain, reports suggest.
Ransomware continues to be a scourge for consumers and businesses alike, but Magniber mainly seems to be targeting students and other non-professional users, according to Bleeping Computer sources.
Based on the Magnitude exploit kit, the strain first appeared in 2017 as a successor to Cerber, and at the time almost exclusively targeted South Korean users.
Initially, Magniber targeted users who were still using Internet Explorer. The ransomware gang then expanded the scope of its operations to infecting systems in China, Taiwan, Hong Kong, Singapore, and Malaysia.
Malicious Windows 10 updates
These damaging fake Windows 10 updates are being distributed under names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as crack sites, posing as legitimate cumulative or security updates.
Magniber produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called ‘My Decryptor’.
The cybercriminal ring’s website graciously provides users with one free file, which it will decrypt without charge, and allows users to find out which cryptocurrency address to send coins to if they decide to pay the ransom. It also provides options to contact its “support team”, according to the sources.
The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer suggests. There are not currently any known ways of decrypting files encrypted by the Magniber ransomware strain for free.
Fake software updates, covering everything from antivirus software to Flash Player Updates, have been a consistently popular method of duping users into downloading malware for years, with the combination of threat and urgency effectively duping users.
For example, cybersecurity researchers from MalwareHunterTeam recently identified an SMS phishing campaign whereby Android users receive a text message claiming that a video upload they started couldn’t be completed without an update to the Flash Player.
The same SMS message provides a link to where the “update” can be found, which instead directs victims to Android banking trojan FluBot malware, which steals login information by overlaying many global banks.