Magniber, the ransomware that hides under fake Windows 10 updates

A malware, in addition to Ransomware type, camouflaged under a Windows 10 update and above all aimed at students and consumers instead of large companies or government targets. Can you go to a more bad idea? And it is that a group of cybercriminals is expanding a variety of ‘ransomware’ called Magniber via fake Microsoft operating system updates.

Magniber Ransomware

El site BleepingComputer has received a wave of requests for help in relation to a ransomware infection -a type of virus that hijacks your computer in exchange for paying a ransom to the cybercriminal for removing it- directed at users around the world, in a campaign that apparently It started a month ago, at the beginning of last April. A campaign employing Magniber ransomware after installing what is believed to be a security or cumulative update to Windows 10.

These updates are distributed under various names, the most common being:

  • Win10.0_System_Upgrade_Software.msi [VirusTotal]
  • Security_Upgrade_Software_Win10.0.msi

Other downloads pretend to be Windows 10 Cumulative Updates, using fake database articles, such as:

  • System.Upgrade.Win10.0-KB47287134.msi
  • System.Upgrade.Win10.0-KB82260712.msi
  • System.Upgrade.Win10.0-KB18062410.msi
  • System.Upgrade.Win10.0-KB66846525.msi
Related  58 paid Android apps and games that are free on Google Play today, January 9

Although it is not 100% clear how fake Windows 10 updates are promoted, the downloads are distributed from fake warez and crack sites. Once installed, the ransomware will erase Shadow Volume Copies and encrypt files. While encrypting the files, the ransomware will add a random 8-character extension, such as .gtearevf. ransomware it also creates ransom notes called README.html in each folder containing instructions on how to access the Magniber Tor payment site to pay the ransom.

Fake Windows 10 Update

Magniber’s paid site is titled “My Decryptor” and allows the victim to decrypt a file for free, contact “support” or determine the ransom amount and the bitcoin address where the victims must make the payment. According to the payment pages viewed by BleepingComputer, most of the ransom demands have been from approximately 2,500 dollars or 0.068 bitcoins for freeing the infected terminal.

Magniber is considered safe, which means that it does not contain any weaknesses that can be exploited to recover files for free. The downside, according to BleepingComputer, is that “Unfortunatelythis campaign primarily targets students and consumers rather than corporate victims, which makes the ransom demand too expensive for many victims.”