What is Ransomware?
Ransomware is malicious software that encrypts your files or prevents you from using your computer until you pay a sum of money (a ransom) to have them decrypted. Some of the ways in which you can become infected by ransomware are as follows:
1. Visiting websites that are unsafe, suspicious, or fake.2. Opening file attachments that you didn’t expect to receive or that came from people you don’t recognize. 3. Opening malicious or bad links in emails, Facebook, Twitter, and other social media posts, or in instant messenger or SMS chats is a common method of spreading malware.
In this case, the most effective solution is to check for an Edge update through the browser settings. Unless it specifies that your browser is up to date, you can simply ignore the warning and continue with your work
Magniber ransomware is back
The ransomware works the same way as it used to previously, except for the fact that it now works on Chrome and Edge browsers. The malware is often distributed through fake webpages pretending to offer a new update for your Chrome or Edge browser. Once the user click on “Update Chrome” or “Update Edge” buttons, the page downloads a browser extension of the .appx type.
Once the extension is installed, the program is executed in the background and the inevitable happens. The malicious files start encrypting the files on your Windows system in the background, without letting you have any idea about it.
Once the malicious encryption is finished, the program will throw up a Notepad document that contains the ransom note. You won’t eb able to access the files on your computer after this and the only way to get it back is by paying the ransom. The ransomware also makes victims download the Tor browser for the process.
The malware copies itself in %TEMP% and deploys itself with the help of task scheduler:
In the same folder, we can see also the ransom note and yet another file. Its name is the same as the part of the domain that has been generated for the particular user, and its extension is the same as the extension of the encrypted files:
To each encrypted file is added an extension that is composed of small Latin characters and is constant for the particular sample of Magniber.
The same plain-text makes the same cipher-text. This means each and every file is encrypted using exactly the same key.
The fake Edge update attack flows like this.
A user visits an ad-heavy website and encounters a malicious ad.
How victims get to the website, remains unclear. The lure could be delivered via phishing emails, links sent through IMs on social media, or other distribution methods.
Two of the URLs distributing the payload are “hxxp://b5305c364336bqd.bytesoh.cam”, and “hxxp://hadhill.quest/376s53290a9n2j”, but these may not be the only ones.
Visitors to these sites receive an alert to update their Edge/Chrome browser manually, and are offered an APPX file to complete the action.The malicious advert redirects them to a “gate”, known as Magnigate. Magnigate runs IP address and browser checks to determine if the user will be attacked. If the user fits the attackers’ criteria, Magnigate redirects them to the Magnitude exploit kit landing page. Based on information from Magnigate, the exploit kit chooses an attack from its collection. In this case, the exploit determines the best attack is a fake Microsoft Edge update. The “update” is actually a malicious Windows Application package (.appx) file. The .appx file downloads Magniber ransomware from the Internet.
Magniber encrypts the user’s files and demands a ransom.
How to avoid this ransomware
There are some common things to note in order to stay safe from such ransomware in the future.
- Never download any “update packages” for your Chrome or Edge browser from other websites. Chrome and Edge can download their updated from the servers automatically, hence, there’s no need for manual updating. Hackers often lure you into downloading an update with fake pages.
- Always keep a backup of your data on a cloud storage, or a physical external storage. If your PC is infected, you can always reset it and get back your data from the backup.