The HP Wolf Security Threat Research Team has just released detailed analysis of a highly evasive ransomware campaign targeting individual consumers instead of targeting enterprises via ‘Big Game Hunting’. The campaign hides Magniber ransomware in fake anti-virus or Windows software updates to trick users into downloading, before encrypting files and demanding around $2,500 in bitcoin in exchange for restored access.

This campaign is much harder to detect than those typically seen targeting personal machines, as it uses malicious code which runs only in computer memory rather than dropping the payload on-disk, allowing it to bypass detection by antivirus software. Magniber is delivered in a malicious JavaScript file, which uses local privilege escalation to allow hackers to take full control of systems without the user’s authority, ultimately encrypting files and redirecting users to a webpage demanding the ransom.

The good news is there is a simple solution for consumers to protect themselves. For Magniber to access and block files, it needs to be executed on a Windows account with administrator privileges – a level of access which is much more commonplace in personal systems.

“Consumers can protect themselves by following ‘least-privilege’ principles – only logging on with their administrator account when strictly needed, and creating another account for everyday use,” explains Patrick Schläpfer, Malware Analyst at HP Wolf Security. “Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach.”

The full report, discussing the infection chain of Magniber, how it evades detection and encrypts files is available on the HP Wolf Security Threat Blog here. It also contains indicators of compromise for security professionals.