Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Magniber Ransomware Help Topic (READ_ME_FOR_DECRYPT_[id].txt & My Deccryptor)


  • Please log in to reply
10 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,320 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:48 AM

Posted 18 October 2017 - 01:35 PM

This topic is for help and support regarding the Magniber Ransomware. This ransomware is currently targeting South Korea victims and will encrypt a victim's data and append an extension to it.

Currently the known extensions are: .ihsdj & .kgpvwnr

The TOR payment site for Magniber is called "My Decryptor".

text-ransom-note.jpg



BC AdBot (Login to Remove)

 


m

#2 samwiseOrgin

samwiseOrgin

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 19 October 2017 - 12:35 AM

As a South Korean, I am triggered now! 

My colleague was hit by CRBR prob v5 or v6 which i am aware there's no decryption  method. 

 

2 questions. 

1. By the ransom note of your Original article states that Victim ID is the subdomain of tor browser. 

does "oc77-----" your ID when testing this ransomware?

2. Refer to my comment on the original article,

"So are you saying now Cerber has two successor? 

Cerber - Crbr
Cerber - Magniber


or is crbr simply another name of cerber as of version3?"


Edited by samwiseOrgin, 19 October 2017 - 12:36 AM.


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,320 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:48 AM

Posted 19 October 2017 - 10:01 AM

Crbr was just a rename of Cerber. Otherwise the same infection.

Magniber is a different ransomware infection that utilizes the same payment site and distribution methods. Cerber seems to have halted or severely minimized distribution to the point that its not really active anymore.

#4 samwiseOrgin

samwiseOrgin

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 19 October 2017 - 07:51 PM

Mr. Abrams please refer to my comment in your article.  I dont know if this goes for all ransomware, but all of Magniber victims shows the symptom of window notification saying "Not able to find ihsdj.exe..... kgpvwnr.exe... or fprgbk.exe in Temp folder."

Pictures to follow (Be advised, all in Korean lanuage. I will highlight the significance with blue marks)


Edited by samwiseOrgin, 19 October 2017 - 10:02 PM.


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,320 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:48 AM

Posted 21 October 2017 - 04:22 PM

Most likely caused by the autorun not being deleted, while the ransomware executable is.

#6 samwiseOrgin

samwiseOrgin

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 22 October 2017 - 09:13 PM

Thanks to the article, I am aware that victims who uses Non-Korean IP address can have decryptor 

 

No luck for victims who uses Korean IP adress? 



#7 samwiseOrgin

samwiseOrgin

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 09 November 2017 - 09:30 PM

Updates on the extension of Maginber Ransomware following : 

 ihsdj & .kgpvwnr, madrcby / jdakuzbrk / ymdmf / vbdrj / fprgpk / iupgujqm / skvtb / Ihjjnetmm  

 

list of extension will be updated in my convenience 



#8 kku3472

kku3472

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 12 January 2018 - 10:23 AM

Mr. Abrams, I have been infected by a new variant of Magniber Ransomware with the IV of NDPFh96kPk337905, and the extension being "ueyznir".

How and where may I get help for this?

 

P.S: Some encrypted files are downloadable via that link below; hope this helps.

 

https://drive.google.com/drive/folders/1gqA-LCPz-GU56sagYAFEUgIIs043_xX-?usp=sharing



#9 Whtkdgud

Whtkdgud

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 12 January 2018 - 10:43 AM

I'm not exactly sure if the ransomware I got is Magniber, as my ransom note is named READ_FOR_DECRYPT.txt

and encrypted file's extensions are .ueyznir and .aufekxs. But 'ID Ransomware' says that the ransomware I got is Magniber and ransom note I got is exactly the same with Magniber's. Also, webpage linked to txt file looks the exact same too.

 

Btw it seems that the file extension is decided randomly.

Btw2 I'm from south Korea


Edited by Whtkdgud, 12 January 2018 - 10:44 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:48 AM

Posted 12 January 2018 - 11:26 AM

Previously it was reported by Grinler (Lawrence Abrams) with two different extensions (.ihsdj & .kgpvwnr) being used depending on the executable that was analyzed and that the extension can be changed with each distribution campaign or affiliate as explained here. Later it was reported with the following random extensions and ransom notes named READ_ME_FOR_DECRYPT.txt, READ_FOR_DECRYPT.txt...see here.

.skvtb
.madrcby
.jdakuzbrk
.ymdmf
.vbdrj
.fprgpk
.iupgujqm
.Ihjjnetmm
.vpgvlkb
.dlenggrl
.xhspythxn
.dwbiwty
.fbuvkngy
.dxjay
.wmfxdqz

Since the extensions have been random you may be dealing with a new variant especially since you have the READ_FOR_DECRYPT.txt ransom note .


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Amigo-A

Amigo-A

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:48 PM

Posted 12 January 2018 - 02:53 PM

Magniber uses the extension's pattern: .<random{5-9}>

This is 5, 6, 7, 8, 9 characters after the dot.

 

Probably, enumerate all possible, detected and undetected extensions does not make sense.

 

The notes were as follows:
_HOW_TO_DECRYPT_MY_FILES_<victim_id>_.txt
READ_ME_FOR_DECRYPT_<victim_id>_.txt
READ_ME_FOR_DECRYPT.txt
 
Now it's a note:
READ_FOR_DECRYPT.txt

Edited by Amigo-A, 12 January 2018 - 03:12 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users