A ransomware attack delivered by fake Windows 10 and antivirus software updates is targeting home users, using sneaky techniques to stay undetected before encrypting files and demanding a ransom payment of thousands of dollars.
In many ways, it's a throwback to early ransomware campaigns that encrypted files on individual computers. However, Magniber is using innovative techniques that make it much more difficult to detect – especially for home users.
The attack chain begins when the user visits a website controlled by the attackers, designed to look like legitimate websites and services that victims are tricked into visiting in one of a number of ways.
"There are multiple ways the user can be directed to such a site. Either they register typo-squatted domains for common websites or infect websites with a malware that redirects the user to the final download site," Patrick Schläpfer, malware analyst at HP Wolf Security, told ZDNET.
"I also have a suspicion that the reason for the redirection could be a malicious browser extension, which is installed on the victim's device," he added.
It's this executable that runs the ransomware's code, which deletes shadow copies of files and disables Windows backup and recovery features before encrypting the victim's files. The ransomware also gains administrator privileges using an Account Control (UAC) bypass to run commands without alerting the user.
By the time the user knows something is wrong, it's too late because their files have been encrypted and they've been presented with a ransom note telling them what's happened and providing them with a link to follow to negotiate a deal for a decryption key – and victims are told that if they attempt to restore their computer without paying a ransom, their files will be permanently wiped.
However, there are steps that individual users can take to help avoid falling victim to ransomware attacks.
"Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach," said Schläpfer.
The most useful way to back up data would be to store it offline, so if a cyber criminal does encrypt your device, they can't reach the back ups too – allowing you to restore the device without paying a criminal.