Threat actors use Windows updates as a bait to spread Magniber ransomwareMagniber ransomware overviewContents of the ransom noteThe payment site

The first samples of this malware in VirusTotal and App.Any.Run submissions were spotted on February 22th, 2022 and it is believed to be the starting day of this ransomware campaign. A more significant number of samples were also spotted in the beginning of April. Some of the most common names used to disguise the deceptive files with the malware inside of them were:

Win10.0_System_Upgrade_Software.msi;Security_Upgrade_Software_Win10.0.msi;System.Upgrade.Win10.0-KB47287134.msi;System.Upgrade.Win10.0-KB82260712.msi;System.Upgrade.Win10.0-KB18062410.msi;Win10.Update-KB8723467.msi;System.Upgrade.Win10.0-KB66846525.msi.

In order to avoid getting infected, computer users are advised to only download updates from legitimate websites. When it comes to Windows updates, it is best to check for them via your computer’s Update & Security settings or the official Microsoft.com website only.

Magniber ransomware overview

After landing on the victim’s computer, Magniber ransomware begins its operation by deleting Volume Shadow Copies. Next, it encrypts all files stored in each folder except those essential for the functionality of the operating system. The virus also marks each encrypted file with additional extension. Some samples of analyzed malware variants used .gtearevf, .vpkrzajx or .nstqjdgxj extension to mark infected files. In other words, the ransomware seems to be using a randomly generated 8 or 9 character string as a new extension for affected data.

Contents of the ransom note

The ransomware creates and saves a copy of a ransom note dubbed README.html in each affected folder. This file opens via computer’s default web browser and displays a message from the ransomware operators. The first line suggests that all of victim’s documents, photos, databases and other important files have been encrypted. The document reassures the computer user that files are only modified and not “damaged.” However, the note instructs that in order to reverse the modification inflicted on all files, the computer user has to pay a ransom in exchange for data decryption key and program. The note instructs the user to download Tor browser and install it. Next, it suggests visiting a personal page created for the specific victim only. It appears that the virus assigns the personal website according to the extension generated and used to mark files on the infected computer. In addition, the note contains several URLs that can be accessed via regular web browsers in case the victim doesn’t want to or doesn’t know how to install Tor browser. These URLs are likely to be taken down anytime, so the note suggests visiting them as soon as possible.

The payment site

The payment website assigned by the Magniber ransomware is dubbed “My Decryptor” and it suggests that the victim’s documents, photos, databases and other important files have been leaked and encrypted. The page also states that the victim can get the decryption tools for “special price” only for 5 days, otherwise the ransom amount will be doubled. According to the site, the “special price” is 0.068 BTC ($2609) and the price after the increase will be 0.13600 BTC ($5218). Just like any other typical ransomware, it asks to make the transaction via cryptocurrency, specifically Bitcoin. Such transactions cannot be traced down, therefore FBI’s hands are tied when it comes to finding the perpetrators. In addition, the site claims that if the victim won’t purchase the decryption tools within 5 days, some data stolen from the computer will be sent to victim’s contacts and also published online. When it comes to the ransom price, we can say that the operators behind this malware are rather greedy when it comes to the price of the decryption tools they offer. Moreover, this ransomware strain doesn’t use sophisticated distribution techniques, therefore we believe it mostly targets home computer users. As a result, the ransom demand is simply too high as such decryption prices are usually demanded from infected companies or governmental institutions. Previously, the threat actors behind this ransomware were spotted using different distribution techniques that involved exploitation of Internet Explorer vulnerabilities and also disguising the malware as updates for MS Edge or Google Chrome browsers.