Jump to content
  • This unusual ransomware attack targets home PCs, so beware

    aum

    • 1 comment
    • 529 views
    • 4 minutes
     Share


    • 1 comment
    • 529 views
    • 4 minutes

    A ransomware campaign is using sneaky techniques to infect individual users with ransomware - and demands thousands for the decryption key.

     

    A ransomware attack delivered by fake Windows 10 and antivirus software updates is targeting home users, using sneaky techniques to stay undetected before encrypting files and demanding a ransom payment of thousands of dollars.

     

    The Magniber campaign, detailed by HP Wolf Security, is unusual for 2022 in the way it focuses on generating relatively small ransom payments from individual users, compared to what could be extorted by going after businesses and demanding large ransoms.

     

    In many ways, it's a throwback to early ransomware campaigns that encrypted files on individual computers. However, Magniber is using innovative techniques that make it much more difficult to detect – especially for home users.

     

    The attack chain begins when the user visits a website controlled by the attackers, designed to look like legitimate websites and services that victims are tricked into visiting in one of a number of ways.

     

    "There are multiple ways the user can be directed to such a site. Either they register typo-squatted domains for common websites or infect websites with a malware that redirects the user to the final download site," Patrick Schläpfer, malware analyst at HP Wolf Security, told ZDNET.

     

    "I also have a suspicion that the reason for the redirection could be a malicious browser extension, which is installed on the victim's device," he added.

     

    The website suggests that the user needs to update their computer with an important software update – claiming that they're antivirus or Windows system needs it – and tricks users into downloading a JavaScript file that contains the ransomware payload.

     

    Magniber being distributed via JavaScript files appears to be a new technique that has only emerged recently – previously it has been hidden inside MSI and EXE files.

     

    By using a JavaScript file, the attack can use a technique called DotNetToJscript, allowing it to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. By doing this in memory, the attack bypasses detection and prevention tools – like antivirus software – that monitors files written to disk rather than memory.

     

    It's this executable that runs the ransomware's code, which deletes shadow copies of files and disables Windows backup and recovery features before encrypting the victim's files. The ransomware also gains administrator privileges using an Account Control (UAC) bypass to run commands without alerting the user.  

     

    By the time the user knows something is wrong, it's too late because their files have been encrypted and they've been presented with a ransom note telling them what's happened and providing them with a link to follow to negotiate a deal for a decryption key – and victims are told that if they attempt to restore their computer without paying a ransom, their files will be permanently wiped.

     

    Researchers say the ransom demand can be up to $2,500. While that might not sound like a lot compared with the hundreds of thousands – or more – cyber criminals can make from infecting a large enterprise with ransomware, targeting home users via drive-by downloads is much less effort than spending weeks or months infecting a corporate network.

     

    However, there are steps that individual users can take to help avoid falling victim to ransomware attacks.  

     

    "Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach," said Schläpfer.

     

    The most useful way to back up data would be to store it offline, so if a cyber criminal does encrypt your device, they can't reach the back ups too – allowing you to restore the device without paying a criminal.

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    The people that create these scripts need a few things happening to them..

    They believe they can't be traced and found..

    THEY ARE WRONG.

    when caught a few things should happen to them.. the loss of their fingers to begin with.. no fingers no typing..

    followed by a few broken bones to put them in a wheel chair for life.. not that will matter with the final thing that should happen to them..

    When their victim takes a sharp knife and does the world a favour.. and slits their throats.. These criminals cant spend what they've demanded if their dead.

    Police wont do a damn thing to catch these people.. frankly they dont have the brain capacity.. cause to them its not about the crime its about the paper work.. and there would be TOO MUCH PAPERWORK when they could be out their catching the real criminals.. you know rapists, murderers, etc.. which will get the officer NOTICED and PROMOTED..

     

    Their is really a easy way NOT to get infected TURN OFF JAVA.. if you can't run it.. the .js can't run at all..

    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...