Ransomware posing as Windows antivirus update will just empty your wallet

ransomware avast
(Image credit: Avast)

A new strain of ransomware is posing as an update for Windows, forcing individual web users to pay roughly $2,500 in exchange for the safe return of their data.

These are the findings of an investigation by HP Wolf Security, whose experts discovered the Magniber ransomware being distributed in September this year via a website owned by the attackers.

The site entices victims to download a .ZIP archive, which holds a JavaScript file that masquerades as either an important antivirus or Windows 10 software update.

Silent encryption

Once the victim runs the file, Magniber does a couple of things, including running the ransomware in memory, bypassing User Account Control (UAC) in Windows (admin user privileges are needed) and using syscalls instead of standard Windows API libraries. All of these things allow Magniber to execute the encryption without raising alarms.

The malware also deletes shadow copy files and disables Windows’ backup and recovery features, to make sure victims have no other choice but to pay the ransom, or say goodbye to their files.

Usually, ransomware operators target companies, rather than individuals. By going after larger entities, they make sure that encrypting devices causes real damage, and forces organizations to pay the ransom demand. However, this does not make Magniber any less dangerous, or devastating, researchers are saying. 

As usual, users are urged to be careful what they download, and be suspicious of every email, text message, or phone number coming from and unknown sender. Experts are also warning users to keep their computers updated, and install antivirus programs, firewalls, and other security measures. Finally, users should not share their passwords and other authentication mechanisms with anyone, friends, family and co-workers included.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.