We have seen a number of Windows update scams over the years, but according to McAfee, they are on the rise. The latest attack type is smarter and more effective than ever.
If you manage Windows machines, this is definitely something to watch out for!
A report published by McAfee throws new light on an old problem. A new type of scam targeted Windows users.
The problem is called Magniber and its ransomware disguised as a legitimate Windows update.
Magniber ransomware
The Magniber ransomware has been very cleverly designed. It hides its true purpose until the very last minute and only reveals itself once all your files are locked down and it makes its demands.
The good news is that it hasn’t integrated into Window’s built-in update mechanism and still depends on user action.
The bad news is that every aspect of the Magniber ransomware has been designed to quietly infiltrate user devices until it’s too late.
Machines are compromised when a user visits an infected website.
These websites include fake Windows 10 update links. Once the link is clicked, the malware will download a JavaScript file to the device and open in memory.
As not all antivirus or malware scanners monitor memory, it can be missed until it’s too late.
Once active, the malware encrypts all files on accessible drives and sets itself up as an administrator.
Once its work is complete, it will open a ransom window and demand payment in return for restoring access.
If you refuse to pay, data is deleted for good. If you do pay, presumably your files are restored.
As the malware sets itself up as an administrator, there’s nothing stopping a hacker gaining access to the device directly to plant more malware or copy data.
That’s much more involved than running the ransomware but there have been instances where hackers piggybacked malware to see what they can find.
Mitigating against Magniber ransomware
As we mentioned, the main weakness of Magniber ransomware is that it requires users to visit an infected website and click a download link.
This is where IT policies, staff training and awareness and internet security controls come in.
Teaching staff to not visit such websites and to never click links can be very effective.
As can showing staff how Windows update really works or that IT will take care of system updates so staff don’t have to.
This is your first line of defence.
A network security solution that can detect websites with infected links can also be useful.
This is your second line of defence.
Using a security solution that can scan device memory for malware is also valuable.
This is your third line of defence.
While prevention is always better than cure, its situations like this where backups prove their worth.
Backups are your final line of defence.
The power of backups against ransomware
Most ransomware will encrypt files and promise to unlock them in return for a crypto fee.
What we don’t know is the proportion of ransomware that actually unlocks those files once paid.
If we were betting people, we would bet on that being a relatively low number. Which means it’s likely to be futile to pay the hacker what they are asking for.
If you applied the rules of rational economics, the vast majority of ransomware payments would result in data being unlocked.
After all, if word got around that data was lost even after paying up, that revenue stream would soon dry up.
But, neither economics, nor malware is rational, so all bets are off.
This makes the case for regular backups.
Regular backups means if you don’t pay the ransom, you can wipe the infected system and rebuild it from backup.
At the most, you lose a few hours or a day of productivity.
As most backup solutions cost less than the average ransom and can cover any number of devices, it’s money well spent.
Staff education and training is a great preventative measure but nothing beats a strong secondary defence in IT policies and security solutions.
If you need help with any of that, Cloud Heroes are here to help.