Attackers use fake Windows 10 updates to spread the Magniber ransomware. Posts on VirusTotal showed that the attack began on April 8 and had since recorded a massive spread.

Magniber ransomware primarily targets students and consumers and not on corporate victims. The ransomware operators demand ransom, which is set at about $2,500 or 0.068 Bitcoins.

These malicious updates are distributed under various names, including Win10.0_System_ Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi. The downloads for the fake Windows 10 updates are distributed from fake warez and crack sites.

Once the malicious updates are installed, the ransomware will delete shadow volume copies and then encrypt files.

When encrypting files, the ransomware also creates ransom note names README.html in each folder. The ransom note contains instructions on how to access the Magniber Tor payment site to pay a ransom.