- Mar 13, 2022
- 599
Fake Windows 10 updates infect you with Magniber ransomware
Fake Windows 10 updates on crack sites are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month.
Fake Windows 10 updates infect you with Magniber ransomware
- Thread starter MuzzMelbourne
- Start date
Chigwells
Level 4
- Jan 16, 2012
- 180
Nasty suff! Not sure where they or how they get onboard? Windows upates from a non-MS source I guess?
"Unfortunately, this campaign primarily targets students and consumers rather than enterprise victims, causing the ransom demand to be too expensive for many victims."
"Unfortunately, this campaign primarily targets students and consumers rather than enterprise victims, causing the ransom demand to be too expensive for many victims."
- Apr 13, 2013
- 3,140
Especially nasty as it is signed with a still valid certificate and is ignored (at the time of this post, anyway) by WD.
- Apr 17, 2021
- 448
I found this signed Magniber ransomware and its variants on VT several days ago. I tested one of them on VM and unfortunately Kaspersky failed to detect them and stop encryption process (only PDM:Exploit.Win32.Generic detection). I then submitted them to the Lab and they seemed to have added heuristic detection for this ransomware. Now Kaspersky is able to detect every variant of Magniber ransomware. 
- Jul 27, 2015
- 5,459
Normal home users in any age with any social status that download even AVs from pirate sites is absolutely nothing new and sadly still today common. Non legit games and software with very well written and easy to understand installation instructions been around for a long long time, along with the best incentive of them all : Greed.
In this case people think and believe the source is safe. Easy and fast to download as with most the other " Free " content.
- Apr 13, 2013
- 3,140
When this guy was initially dropped 3 days ago nothing blocked it, which is not surprising as the certificate was (and still is) valid:
Foresee Consulting Inc.
DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
DigiCert Trusted Root G4
In addition to the typical AV being oblivious, note that if Windows Defender was all that was on board one would need the excellent ConfigureDefender application by Pan Andrzeju set at Aggressive (which I guess shows the utility of Controlled Folder Access). Those relying on Sandbox applications are safe as the malware shuts down and deletes itself in the presence of Sandboxie and will be shunted off to its death initially by the file rating modules of CF.
Last edited:
- Apr 17, 2021
- 448
When I found this sample on VT several days ago, there are actually some AVs detecting it, including ESET, and Avast. Avast detected it as DangerousSig [Trj] which shows Avast has blacklisted this certificate. ESET detected it as GenCBL (Generic Certificate Blacklist), which shows ESET also has blacklisted this certificate...
- Feb 25, 2017
- 2,490
Wonder if our beloved WiseVector would have caught it. Did any AI-based AV engine detect it? @Anthony Qian
- Apr 17, 2021
- 448
Yes
, according to Shake2333's test (on another Chinese forum).He tested F-Secure and WV. He said F-Secure's AMSI blocked but files were encrypted. WV's scanner detected it and can also block process and restore all encrypted files after execution.
Last edited by a moderator:
Similar threads
