PC users at home are warned that threat actors are launching attack campaigns that aim to deliver the Magniber ransomware via fake Windows 10 and antivirus software updates. The threat actors’ sneaky tactics would allow them to stay under the radar as they encrypt the victims’ files and demand ransom worth thousands of dollars.
Researchers explained that victims begin to be targeted once they visit an attacker-controlled site that imitates legitimate websites. One of how users can be redirected to malicious sites is through browser extensions installed by hackers on the victim’s device, which were also caused by previous attack steps.
Once the users have landed on the malicious site, they will be prompted to update their computer with a Windows PC software update.
Instead of an update, the download file will inject the Magniber ransomware payload into the victims’ Windows PC. This payload uses a JavaScript file that allows it to load a [.]NET executable in memory, thus not requiring it to be saved to the computer’s disk. The technique would also allow Magniber to bypass security and antivirus tools.
The executable also runs Magniber’s code that helps it delete shadow copies of the victim’s computer files and deactivates Windows backup and other recovery features before encrypting them. With the ransomware gaining admin privileges on the User Account Control (UAC), it could run malicious commands without notifying the user.
Before the users could take action against the attack, their Windows PC had already been compromised, alongside their important files. A ransom note will be presented to them where the threat actors instruct them on what to do to be able to retrieve their files, including paying the ransom demand for the decryption key.
Researchers state that the ransom payment demanded by users is much less than what the hackers ask for corporate networks. Since Windows PC users are the prime targets of this campaign, experts advise that they only use trusted sources for updating their computers. They should also check the web page URLs of the websites to verify their authenticity.
Furthermore, users are advised to regularly back up their files and store them offline to reduce the impact of possible data encryption from hackers. Thus, suppose hackers had encrypted their files; they have a backup from another source that the threat actors could not reach.