According to recent reports, Magniber ransomware is being spread by way of fake Windows updates. While some of these fake updates are designed to trick unsuspecting end users, others are in fact designed to trick IT pros.
A user that installs a fake Windows update could cause significant damage. As such, it is critical for IT pros to use software whitelists, restrictive permissions, and other techniques to prevent users from running unauthorized code. At the same time, however, it is also important to know the warning signs of a fake Windows update so you can avoid installing one in the first place.
Windows Update Screens
As you probably already know, legitimate Windows updates are delivered through Microsoft’s Windows Update service. The Windows Update interface varies from one Windows version to the next, but it should be accessible through Settings. Figure 1 shows what Windows Update looks like in Windows 10, while Figure 2 shows the Windows 11 version.
Figure 1. This is what Windows Update looks like in Windows 10.
Figure 2. This is what Windows Update looks like in Windows 11.
Unsurprisingly, attackers will try to trick users into installing fake Windows updates by presenting them with a fake Windows Update screen. The screen says that there is an update to install and provides a link to start the installation. The unsuspecting user then clicks the link and installs ransomware.
Fake Windows Updates via Phishing Emails
Of course, that is far from being the only method that cybercriminals use to trick users into installing ransomware.
A far more common technique involves emailing Windows Update messages to potential victims. These phishing emails usually include a subject line such as “Critical Microsoft Windows Update” or “Install Latest Windows Update Now.”
Some of the emails are obvious fakes: They are chock-full of misspellings and grammatical errors, contain threats, or provide completely illogical instructions. Other times, though, these bait messages can be far more convincing.
Some of the more polished examples include the Microsoft logo, links to real Microsoft resources, and many other legitimate-looking elements. Such a well-crafted message might even display the recipient’s Microsoft account name. Unless recipients know that Microsoft does not email updates like this to its customers, they might be prone to fall for the deception.
Downloading Malicious Code from Websites
Cybercriminals also take advantage of users trying to track down an older version of Windows or an older patch (such as a hot fix that was eventually included in a patch rollup). To show you how this technique works, let me give you a peek behind the curtain.
As a freelance technology author, I sometimes find myself needing to install old Windows versions. For example, if I write an article about Windows migrations, I will need to install different Windows versions to test a method. I normally download an older Windows release from Microsoft’s Visual Studio library. Unfortunately, Microsoft does not keep items in the library forever and eventually purges software once it reaches a certain age.
When this happens, I sometimes have no other choice than to scour the internet for a copy to download. While there are legitimate sites where you can download extremely old Microsoft code, there are also malicious sites posing as legitimate one. If you are unlucky enough to download a file from one of the malicious sites, you will end up infecting your computer.
Incidentally, cybercriminals sometimes managed to plant malicious code on otherwise legitimate sites. There have been instances in which malicious code has briefly appeared on GitHub, for example.
Just as cybercriminals sometimes try to exploit those who want to track down an older Windows version, they also try to exploit those who want to score a free copy of Windows. In this case, cybercriminals will set up websites that make it appear as though you can download a free copy. Of course, the code that you would download is malicious.
As a best practice, you should never download Windows or Windows updates outside of the official channels. However, if you find yourself with no choice but to use a non-Microsoft source, make sure you perform the download from a hardened virtual machine. The virtual machine should be hardened to the point that an infection within it can’t spread across your network.