Fake Windows 10 Updates are Spreading Ransomware

Windows 10 users have been targeted with fake updates that, if installed, will land you with a ransomware infection.

The fake security update appears as a normal Windows 10 security update. However, what the update actually contains is the Magniber ransomware. According to BleepingComputer, the spread began at the start of April. VirusTotal have concluded that the ransomware campaign started on 8th April, and then spread worldwide. It appears as if the fake Windows 10 security updates are being distributed from software crack sites. Once Magniber has infected a machine, it will encrypt files, which will then appear with a random 8-character extension. The fake updates will have file names such as Win10.0_System_Upgrade_Software.msi or Security_Upgrade_Software_Win10.0.msi. There will be a “read me” file with a link Magniber’s Tor payment site, called My Decryptor. Users are allowed to test one file to ensure the process is “legitimiate”, with the ransom being fairly low at $2500. There are currently no Magniber decryption tools available for free.

The Magniber ransomware first appeared in 2017, and is based on the Magnitude exploit kit. At the start, Magniber almost exclusive targeted users in South Korea, using Internet Explorer. The ransomware gang then spread its wings, and started targeting users in China, Singapore and Malaysia.

This current Magniber campaign appears to be targeting consumers and students rather than businesses, hence the comparatively small ransom of $2500 – but this is still too much money for most victims. The best way to protect yourself from ransomware such as Magniber is to regularly back up all of your data, and avoid dodgy websites with potentially dangerous pop-ups.