Threat Watch

Magniber Ransomware Adopts JavaScript to Attack Individuals

In September, HP Wolf Security observed Magniber ransomware spread through an isolated campaign that was targeting individual users as opposed to organizations. The threat group has adopted a new attack that uses JavaScript files to load their ransomware as opposed to previously used MSI and EXE files. The attack requires the victim to download a ZIP file from an attacker-controlled website, which in turn runs the JavaScript file. For the ransomware to work, the file must be downloaded on a Windows machine that is running an administrator account, which is a common state for most private computers. The attackers use several techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries. Once infected, victims are required to pay $2,500 to regain control of their machine.


Most private machines are constantly run via an administrator account, as those settings are the default when setting up the computer. To combat attacks like these, computer users can set up alternate accounts that do not have full administrator level privileges and use those accounts for day-to-day activity. This will stop attacks that need to be downloaded on to accounts with administrator level access, and if the user needs to change settings, they can log back into the alternate account that is set up with these admin privileges. Other mitigations include keeping systems up to date with patches and only downloading files from trusted and verified websites.