Fake Windows updates used to spread ransomware

According to recent reports, Magniber ransomware is distributed via fake Windows updates. While some of these fake updates are designed to trick unsuspecting end users, others are actually designed to trick IT professionals.

A user installing fake Windows update can cause significant damage. Therefore, it is crucial for IT pros to use software whitelists, restrictive permissions, and other techniques to prevent users from running unauthorized code. At the same time, however, it is also important to know the warning signs of a fake Windows update in order to avoid installing such an update in the first place.

Windows Update screens

As you probably already know, legitimate Windows updates are delivered through Microsoft’s Windows Update service. The Windows Update interface varies from one Windows version to the next, but should be accessible from Settings. Figure 1 shows what Windows Update looks like in Windows 10, while Figure 2 shows the Windows 11 version.

Brien Posey

Illustration 1. This is what Windows Update looks like in Windows 10.

Brien PoseyScreenshot of Windows 11 Windows Update screen

figure 2 This is what Windows Update looks like in Windows 11.

Not surprisingly, attackers try to trick users into installing fake Windows updates by presenting them with a fake Windows Update screen. The screen will indicate that an update needs to be installed and will provide a link to start the installation. The unsuspecting user then clicks the link and installs ransomware.

Fake Windows updates via phishing emails

Of course, this is far from the only method cyber criminals use to trick users into installing ransomware.

A far more common technique is to email Windows Update messages to potential victims. These phishing emails usually contain a subject line like “Critical Microsoft Windows update” or “Install the latest Windows update now”.

Some of the emails are blatantly fake: they’re chock-full of spelling and grammatical errors, contain threats, or give completely illogical instructions. In other cases, however, these lure messages can be much more persuasive.

More sophisticated examples include the Microsoft logo, links to genuine Microsoft resources, and many other legitimate-looking elements. Such a well-crafted message can even display the recipient’s Microsoft account name. If recipients are unaware that Microsoft doesn’t email such updates to its customers, they could fall for the scam.

Downloading malicious code from websites

Cyber ​​criminals also take advantage of users trying to track down an older version of Windows or an older patch (e.g. a hotfix that ended up being included in a patch rollup). Let me take you behind the scenes to show you how this technique works.

As a freelance technology writer, I sometimes need to install old versions of Windows. For example, when I’m writing an article about Windows migrations, I need to install different versions of Windows to test a method. I usually download an older Windows version from Microsoft’s Visual Studio library. Unfortunately, Microsoft doesn’t keep items in the library forever and eventually deletes software once it reaches a certain age.

When that happens I sometimes have no choice but to scour the internet for a downloadable copy. While there are legitimate websites where you can download extremely old Microsoft code, there are also malicious websites that pretend to be legitimate. If you are unlucky enough to download any file from any of the malicious websites, you will end up infecting your computer.

Incidentally, cyber criminals sometimes managed to inject malicious code into otherwise legitimate sites. There have been cases in which, for example, malicious code has briefly appeared on GitHub.

Just as cyber criminals sometimes try to take advantage of those who want to track down an older version of Windows, they also try to take advantage of those who want to grab a free copy of Windows. In this case, cyber criminals set up websites that make it appear as if you can download a free copy. Of course, the code you would download is malicious.


As a best practice, you should never download Windows or Windows updates outside of the official channels. However, if you have no choice but to use a non-Microsoft source, make sure you download from a hardened virtual machine. The virtual machine should be secured to such an extent that an infection contained in it cannot spread through your network.

Comments are closed.