Ransomware: Fake Windows 10 Updates Might Get You In Trouble

Magniber ransomware, a ransomware that has been active since 2017, is currently massively distributed via alleged Windows Update installers. The victims download the malicious code under the assumption that they are getting a cumulative Windows update. That reports that Bleeping Computer Online Magazine The Magniber ransomware has been very active for weeks and recently caused a stir because it was circulated as a fake software package.

Now it is no longer about third-party applications, it is directly about Windows updates. Victims had reported being infected with Magniber ransomware after installing a cumulative or security update to Windows 10.

The investigation subsequently revealed that those affected had obtained their updates from dubious sources – so they are not the official update packages from Microsoft. Bleeping Computer has discovered the fake updates to download from warez and crack sites.

The manipulated updates are distributed under different names, the most common being Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi. Other downloads pretend to be Windows 10 cumulative updates and use fake Knowledge Base articles in their name to fake legitimacy:

  • System.Upgrade.Win10.0-KB47287134.msi
  • System.Upgrade.Win10.0-KB82260712.msi
  • System.Upgrade.Win10.0-KB18062410.msi
  • System.Upgrade.Win10.0-KB66846525.msi

How it works

The campaign should primarily target consumers and not businesses. Once installed, the ransomware deletes shadow copies and then encrypts the files. When encrypting files, the ransomware appends a random 8-character extension. The ransomware also creates ransom notes called README.html in each folder, which contain instructions on how to access the Magniber Tor payment page to pay the ransom.