New variants, fake security updates and crowdsourcing innovations to ransomware-as-a-service took centre stage in the ransomware news last week.

Fake security updates used to spread Magniber ransomware

The Magniber ransomware is targeting Windows home users, hiding in fake security updates.

Fake antivirus and security updates for Windows 10 are offered via web pages that the attackers have set up. When the unsuspecting home user downloads what they think are updates via a ZIP file, they are really downloading a malicious JavaScript with file-encrypting malware.

The threat actors demand payment of up to $2,500 for the home users to decrypt and recover their files.

Magniber has been around since at least early 2022. It has used Chrome and Edge browser updates in the past. The new threat masquerading as Windows updates was identified by HP Wolf Security in September and there is a post with more details on their site.

In its previous incarnations, Magniber was using MSI and EXE files. More recently, it appears to have shifted to JavaScript as its delivery mechanism.

While home users are the target, with remote work still being so prevalent, the possibility of leveraging home offices as an attack surface should be a good reason for companies to reinforce how home users can protect themselves.

First, of course, is to never download software updates from other than truly trusted sources. Second, home users need to make regular backups and keep keep them on an offline storage device. Users also need to be warned to check both their computer and their backups for infection before restoring their data. 

Prestige ransomware surfaces in Ukraine and Poland

Microsoft has revealed that that new ransomware named Prestige is being used to target transportation and logistics organizations in Ukraine and Poland. The new variant was first used in October 2022 in attacks that were detected within hours of each other.

The Microsoft Security Threat Intelligence Centre (MSTIC) stated that Prestige “have not been observed by Microsoft prior to this deployment.”

Russian state-aligned activity is the obvious suspect, given the current targets. MSTIC reports that the targets overlap with previous victims of the FoxBlade malware (aka HermeticWiper).” Hermetic Wiper was first seen deployed against Ukrainian organizations at the time of the invasion of Ukraine.

MSTIC has not yet positively identified the threat actor at the source of the attacks. They note in the announcement that “this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. The Prestige ransomware had not been observed by Microsoft prior to this deployment.”

Redmond is working on notifying all customers who have been compromised and had their systems encrypted with this ransomware.

LockBit ransomware is “most active extortion group”

The LockBit ransomware gang’s ransomware-as-a-service operation has achieved the dubious status as the most prolific group over the last month. According to an article in the web journal the Record, it was “the most active online extortion group.”

The group took the top spot from the Conti gang after Conti took down most of its infrastructure in May. Cybersecurity experts think that Conti broke up into smaller groups to help avoid detection.

According to data from research group Recorded Future, LockBit was identified in more than 80 attacks in August, which would take its total victim count to over 1,100. These ranged from attacks on medical infrastructure to industrial systems.

Recorded Future also reported that the group had launched a new version called LockBit 3.0 in June which included “technical improvements and a bug bounty program that offered rewards for ways to improve their ransomware operation.”

Bug bounty programs are leveraged by almost every major software company as a proven way to detect flaws in their products. LockBit has taken this a step further, apparently looking for ways to crowdsource improvements to their “product.”

Mike Parkin, senior technical engineer at Vulcan Cyber, is quoted in The Record as stating “they (LockBit) have taken a page straight from a mature organization’s development playbook. If it works for a major player like Microsoft, Google, or Apple, why wouldn’t it work for a criminal gang if they have both the maturity and the resources to do it?”

The post This Week in Ransomware – Friday, October 14, 2022 first appeared on IT World Canada.

Leave a Reply