Fake Windows 10 update is being rolled out to spread Magniber ransomware.
Fake Windows 10 updates are reportedly being circulated to spread the Magniber ransomware and steal users’ data, especially students and other non-professional users’ data. BleepingComputer has shared that they have received a surge of requests for help regarding this ransomware infection targeting users across the world. It initially appears to be a Windows 10 cumulative or security update. As per the VirusTotal, this appears to have started on April 8th, 2022 and has seen targeting a large number of users worldwide since then.
While it’s not 100% clear how the fake Windows 10 updates are being circulated, these are distributed under various names, like Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi. The downloads are distributed through fake warez and crack sites.
How these malicious Windows 10 updates work
Upon downloading the fake Windows 10 update, the ransomware delete shadow volume copies and then encrypt files. It produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment page, which is called ‘My Decryptor’. The website then provides users with one free file, which it decrypts without charge, and allows the victim to find out which cryptocurrency address they would send the ransom. It also provides options to contact its “support team” for help.
The ransomware demands range around $2,500 or 0.068 bitcoin.
How to deal with fake Windows 10 ransomware?
As of now, there are no known ways of decrypting files that are encrypted by the Magniber ransomware strain.
This is not the first time that a fake software has been targeting users. There were earlier also antivirus software updates to Flash Player Updates, that have been a consistently popular method of duping users into downloading malware for years.
Recently, cybersecurity researchers from MalwareHunterTeam detected an SMS phishing campaign where Android users receive a text message asking users to complete an update to the Flash Player or else the video upload they started couldn’t be done.
The same SMS message contains a link that redirects users to Android banking trojan FluBot malware and steals login information by overlaying many global banks.