Magniber ransomware is targeting Windows home users via fake security updates promoted on malicious websites. The security update contains a malicious file that contains JavaScript, which can trigger a complicated infection with the file-encrypting malware.
Researchers found that ransomware operators in January used Chrome and Edge browser updates to push malicious Windows application package files (.APPX).
According to HP’s Threat Intelligence team, the ransomware strain focuses explicitly on Windows 10 and 11 builds. Researchers also stated that the ransomware operators charge up to $2,500 to release decryptors to home user.
On its infection chain, the ransomware switched from the use of MSI and EXE files to JavaScript files. These files are obfuscated and use a variation of the “DotNetToJScript” technique to execute a .NET file in the system memory. Doing this reduces the risk of detection by antivirus products.
The attackers use the .NET file to decrypt shellcode, which uses its own wrapper to make stealthy syscalls, and inject it into a new process before terminating its own.
To increase the chances of getting paid after the shellcode deletes shadow copy files via WMI and disables backup and recovery features through “bcdedit” and “wbadmin.”
Home users can protect themselves by making regular backups of their files and keeping an offline storage device.
The sources for this piece include an article in BleepingComputer.