This unusual ransomware attack targets home PCs, so beware

A ransomware campaign is using sneaky techniques to infect individual users with ransomware - and demands thousands for the decryption key.

A ransomware attack delivered by fake Windows 10 and antivirus software updates is targeting home users, using sneaky techniques to stay undetected before encrypting files and demanding a ransom payment of thousands of dollars.

The Magniber campaign, detailed by HP Wolf Security, is unusual for 2022 in the way it focuses on generating relatively small ransom payments from individual users, compared to what could be extorted by going after businesses and demanding large ransoms.

In many ways, it's a throwback to early ransomware campaigns that encrypted files on individual computers. However, Magniber is using innovative techniques that make it much more difficult to detect – especially for home users.

The attack chain begins when the user visits a website controlled by the attackers, designed to look like legitimate websites and services that victims are tricked into visiting in one of a number of ways.

"There are multiple ways the user can be directed to such a site. Either they register typo-squatted domains for common websites or infect websites with a malware that redirects the user to the final download site," Patrick Schläpfer, malware analyst at HP Wolf Security, told ZDNET.

"I also have a suspicion that the reason for the redirection could be a malicious browser extension, which is installed on the victim's device," he added.

The website suggests that the user needs to update their computer with an important software update – claiming that they're antivirus or Windows system needs it – and tricks users into downloading a JavaScript file that contains the ransomware payload.

Magniber being distributed via JavaScript files appears to be a new technique that has only emerged recently – previously it has been hidden inside MSI and EXE files.

By using a JavaScript file, the attack can use a technique called DotNetToJscript, allowing it to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. By doing this in memory, the attack bypasses detection and prevention tools – like antivirus software – that monitors files written to disk rather than memory.

It's this executable that runs the ransomware's code, which deletes shadow copies of files and disables Windows backup and recovery features before encrypting the victim's files. The ransomware also gains administrator privileges using an Account Control (UAC) bypass to run commands without alerting the user.  

By the time the user knows something is wrong, it's too late because their files have been encrypted and they've been presented with a ransom note telling them what's happened and providing them with a link to follow to negotiate a deal for a decryption key – and victims are told that if they attempt to restore their computer without paying a ransom, their files will be permanently wiped.

Researchers say the ransom demand can be up to $2,500. While that might not sound like a lot compared with the hundreds of thousands – or more – cyber criminals can make from infecting a large enterprise with ransomware, targeting home users via drive-by downloads is much less effort than spending weeks or months infecting a corporate network.

However, there are steps that individual users can take to help avoid falling victim to ransomware attacks.  

"Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach," said Schläpfer.

The most useful way to back up data would be to store it offline, so if a cyber criminal does encrypt your device, they can't reach the back ups too – allowing you to restore the device without paying a criminal.

Source