Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain.
Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.
Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware:
• System.Upgrade.Win10.0-KB47287134.msi
• System.Upgrade.Win10.0-KB82260712.msi
• System.Upgrade.Win10.0-KB18062410.msi
• System.Upgrade.Win10.0-KB66846525.msi
Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites.
Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.
The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported.
“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”
According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only.
The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.