Security analysts at 360 Security Center have unearthed a new strain of Magniber ransomware targeting Windows 11 systems. Since May 25, the attack volume of Magniber has surged significantly, and its primary transmission package names have also been upgraded, such as: win10-11_system_upgrade_software.msi, covid.warning.readme.xxxxxxxx.msi, etc.
The ransomware is propagated via several online platforms, cracked software websites, fake pornographic websites, etc. When users visit these phony websites, they are lured to download from third-party network disks.
According to researchers, the ransomware itself has not changed much, and can target multiple variants of Windows operating systems. The ransomware employs the RSA+AES encryption methodology to encrypt files. The RSA used is as long as 2048 bits, which is currently difficult to crack technically.
After being encrypted by the ransomware, the file suffix is a random suffix, and each victim will have a separate payment page. If the ransom cannot be paid within the specified time, the link will be invalid. If the victim can pay the ransom within 5 days, he only needs to pay 0.09 Bitcoin, else the ransom will be doubled after 5 days.
This is the second incident within two months hackers targeted Windows users. Earlier in April, the malicious actors employed fake Windows 10 updates to spread the Magniber ransomware strain. The fake Windows 10 updates were distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.
The malicious campaign started on April 8th, 2022, and has witnessed massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites.
According to security researchers, no safe decryptor exists for ransomware. Additionally, any weaknesses of the malware are also known to reverse its infection as of yet. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only.
The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows users, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.