Magniber ransomware is being spread through Windows 10 updates found on fraudulent websites. The scheme was uncovered by technology website Bleeping Computer.

Bleeping Computer’s forum recently received reports of fake Windows 10 updates installing ransomware. The reports concern Magniber, a variant that manifested itself on April 8 and is very difficult to combat. The ransomware is primarily being distributed through fake cumulative and security updates. The updates are distributed on crack sites.

The malicious updates are mainly presented under names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi. Other names include System.Upgrade.Win10.0-KB47287134.msi, System.Upgrade.Win10.0-KB82260712.msi, System.Upgrade.Win10.0-KB18062410.msi and System.Upgrade.Win10.0-KB66846525.msi.

Encryption technique

Upon installation, the ransomware causes shadow volume copies to be removed and files on the affected drive to be encrypted. Following encryption, files appear with seemingly random extensions consisting of eight characters. A readme.txt file is attached to each folder containing instructions on paying the ransom for decryption.

My Decryptor site

Ransom payments are requested on a payment site called My Decryptor. One file can be encrypted for free, as a sort of trial. The page includes contact information for ‘support’, the ransom amount and the bitcoin address to which victims should transfer the money. Students and consumers are of particular interest to the attacker.

Tip: Ransomware is an APT and should be treated as such