Fake Windows update takes computer hostage

Cyber ​​criminals behind the “Magniber” ransomware are now targeting private users and students directly: They disguise their malware as a Windows 10 update. Victims have to pay or lose all data.

So-called ransomware – i.e. malware that encrypts all important data on a computer and only releases it again for a ransom – has been a problem for companies in particular in recent years. For them, a complete system failure usually means large losses, so that many companies are apparently willing to pay the criminals large sums of money.

However, private users and students in particular are currently at risk from ransomware, as the IT security site “Bleeping Computer” reports: Criminals have now disguised their “Magniber” malware as a Windows 10 update. The ransomware campaign is said to have started in April and has now reached massive proportions.

Readers who were also victims of the “Magniber” attack report that they had previously started a file posing as an update for Windows 10. The file name is not always the same, but most often it is “Win10.0_System_Upgrade_Software.msi” or Security_Upgrade_Software_Win10.0.msi”, as “Bleeping Computer” writes.

It is still unclear how the fake updates are distributed

It is currently not entirely clear how the fake updates are primarily distributed – however, the malware always proceeds in the same way as soon as it has been installed: First, all hidden copies and backups of the data that Windows creates, for example if an automatic system restore point is set.

The software then encrypts all files and gives them a random eight-character extension. Files encrypted in this way are virtually lost without a suitable key, since they cannot be cracked with conventional means and at a reasonable cost.

For this reason, a readme file is also stored in each encrypted folder, where the victims can find information on how to get their data back – namely by paying a ransom. To do this, the Tor browser must be installed and a link generated directly for the victim must be opened with it.

The victims find out the price on the specified page: According to “Bleeping Computer”, it is currently 0.068 bitcoins, the equivalent of around 2,500 euros. There is also no saving on the usual psychological means of pressure: A timer indicates that this is only a “special price” that is only available for a few days. There are also threats that important data will be sent to contacts and published on the Internet.

It is unlikely that these threats will actually be implemented. However, the data of the victims are likely to remain lost for the time being. Whether the decryption really works when paying is not certain. Experts advise backing up the encrypted files and putting them away in case a decryption tool appears later.

In general, Windows users should only obtain updates from the Microsoft website if possible – and also access them themselves in the browser and do not click on any links there. Of course, it is even better if you activate automatic updates and ensure that Windows is connected to the Internet sufficiently often and long enough (preferably several hours per week) to download and install updates independently.