The Magniber ransomware, which has been around for a while, is apparently spreading via fake Windows 10 updates in its latest campaign. Back in 2021, the Magniber threat actors were using the PrintNightmare exploit to infect victims, and recently in January 2022, it was spreading via Microsoft Edge and Chrome.
This new report comes via BleepingComputer which noticed a lot of user reports regarding this new infection that seems to be affecting people worldwide. The malicious updates pretend to be real and some of them even have fake knowledge base (KB) IDs attached with them. Here are some of these fake malicious updates:
- Win10.0_System_Upgrade_Software.msi
- Security_Upgrade_Software_Win10.0.msi
System.Upgrade.Win10.0-KB47287134.msi
System.Upgrade.Win10.0-KB82260712.msi
System.Upgrade.Win10.0-KB18062410.msi
System.Upgrade.Win10.0-KB66846525.msi
These malicious updates are being spread via warez and piracy websites. Here is one such example:
Once the malicious files are installed, they go on to delete the backup volume shadow copy of the encrypted drives and creates a "README" HTML file that contains the ransom notes (shown in image on the right side):
On the ransomware payment site, the threat actors ask the victims to pay up around $2,600 or 0.068 bitcoins (BTC), and the ransom is set to double if five days go without payment.
To protect yourself from such a campaign, it is best to avoid such unofficial sources of downloading Windows updates and directly download them via your settings. You can also look for standalone updates on the Microsoft Update Catalog website.
Source and images: BleepingComputer
Edit: Inserted the correct image for the distribution website.