HP’s Wolf Security team is reporting that Magniber ransomware is infecting home users and demanding payments of up to $2,500 for the decryption tool. Masquading as a Windows 10/11 update, attackers get users to download a Zip file containing the malware. Magniber has been primarily spread through MSI and EXE files, but since September has been using this Zip file approach to install the malware.
Excerpts:
- The infection chain starts with a web download from an attacker-controlled website. The user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.
- Notably, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.
Magniber differs from other high-profile ransomware by being more targeted at home users than enterprise ones. It requires administrative privileges on Windows. Home users usually have administrative privileges on their devices, but that’s far less common in corporate environments. The ransom demand is also relatively small.
Although Magniber is sophisticated, it still requires human interaction to infect a device. Victims must be tricked into visiting a malicious website and downloading a compressed file containing the ransomware. The attack is fairly easily avoided; don’t click on links or attachments in unsolicited emails and messages. Be on the lookout for fake Windows and antivirus updates. You shouldn’t need to visit a website to update either of these.
While enterprises often have tool stacks to detect and prevent malicious activity on the endpoint, home users are far less protected. Since most home users are the administrative account on their systems, effective social engineering provides a quick way to execute in a high-privileged capacity, and can bypass common protections like User Account Control. The use of “fileless” techniques such as those used in Magiber are popular in evading detection solutions. These techniques are not novel, but because home users lack dedicated teams with the tools to investigate, detect, and prevent execution, they have a greater likelihood of success.
While the threat actors may not be able to demand millions in ransom from each victim, they are likely hoping to leverage a large quantity, versus the frequently seen “big game hunting” where attackers go after high-value targets more likely to pay huge sums.
Home users should take security seriously and have their own prevention and recovery plan for themselves and their family.
Some tips and best practices: