Tens of thousands of ransomware infections hit devices across the European Union (EU) recently as the Magniber ransomware group returned from what BlackBerry security researchers say was a brief attack hiatus.
Although Magniber uses a variety of threat vectors to reach its victims, it seems to have a favorite tactic: malvertising.
Details on New Magniber Ransomware Attacks
Security researchers revealed the wave of attacks on Twitter and shared the ransomware note popping up on the screens of victims in France, Italy and Denmark.
Image — Ransomware note from fresh wave of Magniber attacks. (Source: Avast)
The note instructs victims to search for the READM.html file on their device. When they do, they find directions on how to contact the group responsible for the ransom demand — and how to pay it — in return for a decryption key to unlock their files.
Researchers say the malvertising campaign leads users to download a ZIP file with a fake Microsoft Software Installer (MSI) that masquerades as an important security update.
This is quite similar to the malvertising attack technique documented by the BlackBerry Research and Intelligence Team in the 2021 report, PrintNightmare on Elm Street with Magniber Ransomware:
“Magniber’s PrintNightmare infection process begins when the victim clicks on a malicious advertisement, allowing a DLL loader to be dropped onto the target machine. The loader unpacks itself and drops a malicious payload that injects into legitimate Windows processes such as taskhost.exe (a host process for EXE and DLL files) and dwm.exe (which enables visual effects on the desktop).”
In the 2021 attack, Magniber targeted South Korea and other Asia-Pacific countries via vulnerabilities with the Windows® print spooler. You can find BlackBerry’s YARA rule and related indicators of compromise (IoCs), here.
Cylance AI vs. Magniber Ransomware Attacks
When BlackBerry’s Most Distinguished Threat Researcher Dmitry Bestuzhev became aware of the latest EU ransomware attacks, he was eager to test the newest malware samples against Cylance® AI-based defenses. “When you read about an outbreak, you immediately wonder if your technologies are stopping it. That’s especially critical for ransomware. While checking the latest Magniber samples found in the wild, our machine learning (ML) models from the past effectively stop it.
“When working on a threat model and ransomware, never focus exclusively on the final payload. The idea is to detect threat actors in their early stages, like during initial access and network reconnaissance.”
The video below, from 2021, documents the result during previous Magniber attack campaigns.
BlackBerry customers can take advantage of the AI-driven endpoint protection product CylancePROTECT®, as well as the managed detection & response (MDR) platform CylanceGUARD®, which mitigates the risks posed by threat actors such as those behind Magniber ransomware.
Conclusion on Malvertising Attacks
Bestuzhev adds that multiple threat actors have recently used malvertising techniques to deploy information stealers. With that in mind, he recommends adding contextual ad blockers as a simple technique to help reduce the risk of malvertising infections.
For similar articles and news delivered to your inbox, please subscribe to the BlackBerry blog.