Google Chrome and Microsoft Edge users have been cautioned to watch out for fake updates that are in fact ransomware.
The fake updates, pushed out by scammers using Magnitude exploit kits, mark a shift away from older kits that would typically take advantage of now sparsely-used or deprecated programs like Internet Explorer and Flash.
The news further reinforces the importance of having antivirus software installed on your devices just in case you click a shady pop-up advertisement.
What’s the Threat to Edge and Chrome Users?
Discovered by cybersecurity researchers from Malwarebytes, the ransomware is inserted onto victims’ computers after a process facilitated by the Magnitude exploit kit.
The kit in question is, according to Malwarebytes, “a grab-bag of social engineering lures and exploits to attack web users and install ransomware on their computers.”
The ransomware is affecting users of both Chrome and Microsoft Edge because it’s based on chromium coding, which is also utilized to build both browsers.
Although it is largely being used to target users in South Korea, it wouldn’t be surprising if the same – or similar threats emerge shortly after in other locations.
What Happens During the Ransomware Attack?
The attack starts when a user visits an ad-heavy website and encounters a malicious ad. The advert sends them to a “gate”, known as a “Magnigate”. This then checks both the IP address of the user and the browser to see if the user has the capacity to be attacked.
If it is possible, then the user is sent to the exploit kit landing page and, based on the info collected at the gate, the exploit kit chooses an attack from its collection of exploits.
If the user is using Microsoft Edge, then the kit will send it a fake Microsoft Edge update (which is actually a malicious file for Windows devices, which subsequently downloads the ransomware).
The ransomware that finishes off the attack is called ‘Magniber’. It’s a simple sort of ransomware that – if you’re tricked into downloading the fake update – will encrypt all the files on your computer and then demand a ransom to unlock them again.
Old Tactic, New Disguise
Updates have always been a favorite for scammers. It’s generally considered good practice to update your systems as soon as updates are released in order to patch vulnerabilities – so threat actors can leverage that positive association between updates and security.
There’s also the question of expected frequency. Flash and Internet Explorer updates used to be one of the most widely mimicked updates by scammers looking to trick unsuspecting users into downloading their malicious software.
Flash updates were frenetic and pushed out at pace, so it was easy to dupe users into thinking just one was legitimate. However, Adobe discontinued Flash last year and programs like Internet Explorer have deprecated – but that hasn’t spelled the end for exploit kits.
“The future of exploit kits is via Chrome exploits. This could either be an anomaly or the beginning of a new era with big implications for the years to come” – Jérôme Segura, Malwarebytes’ Director of Threat Intelligence.
Back in October 2021, Malwarebytes reported that threat actors using exploit kits were now targeting Chrome, potentially marking a new era for an increasingly unpopular type of ransomware.
How Can I Avoid Clicking on Ransomware?
Ransomware is becoming a global problem, but is particularly an issue for US citizens – around a quarter of all ransomware is directed at the US.
For this problem, ensuring you have antivirus software installed is a good start – it will separate the legitimate updates from the fake ones and block them.
Another step that’s good to take is to ensure that your browser has all the legitimate updates that have been released installed.
If you want to be completely sure you’re downloading legitimate ones, look for them in your browser’s settings rather than waiting for reminders or reminders to appear. Turning on automatic updates – if you’re currently installing them manually – is also advised.