Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Magniber Ransomware Help Topic (READ_ME_FOR_DECRYPT_[id].txt & My Deccryptor)


  • Please log in to reply
15 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:48 AM

Posted 18 October 2017 - 01:35 PM

This topic is for help and support regarding the Magniber Ransomware. This ransomware is currently targeting South Korea victims and will encrypt a victim's data and append an extension to it.

Currently the known extensions are: .ihsdj & .kgpvwnr

The TOR payment site for Magniber is called "My Decryptor".

text-ransom-note.jpg



BC AdBot (Login to Remove)

 


#2 samwiseOrgin

samwiseOrgin

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 19 October 2017 - 12:35 AM

As a South Korean, I am triggered now! 

My colleague was hit by CRBR prob v5 or v6 which i am aware there's no decryption  method. 

 

2 questions. 

1. By the ransom note of your Original article states that Victim ID is the subdomain of tor browser. 

does "oc77-----" your ID when testing this ransomware?

2. Refer to my comment on the original article,

"So are you saying now Cerber has two successor? 

Cerber - Crbr
Cerber - Magniber


or is crbr simply another name of cerber as of version3?"


Edited by samwiseOrgin, 19 October 2017 - 12:36 AM.


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:48 AM

Posted 19 October 2017 - 10:01 AM

Crbr was just a rename of Cerber. Otherwise the same infection.

Magniber is a different ransomware infection that utilizes the same payment site and distribution methods. Cerber seems to have halted or severely minimized distribution to the point that its not really active anymore.

#4 samwiseOrgin

samwiseOrgin

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 19 October 2017 - 07:51 PM

Mr. Abrams please refer to my comment in your article.  I dont know if this goes for all ransomware, but all of Magniber victims shows the symptom of window notification saying "Not able to find ihsdj.exe..... kgpvwnr.exe... or fprgbk.exe in Temp folder."

Pictures to follow (Be advised, all in Korean lanuage. I will highlight the significance with blue marks)


Edited by samwiseOrgin, 19 October 2017 - 10:02 PM.


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:48 AM

Posted 21 October 2017 - 04:22 PM

Most likely caused by the autorun not being deleted, while the ransomware executable is.

#6 samwiseOrgin

samwiseOrgin

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 22 October 2017 - 09:13 PM

Thanks to the article, I am aware that victims who uses Non-Korean IP address can have decryptor 

 

No luck for victims who uses Korean IP adress? 



#7 samwiseOrgin

samwiseOrgin

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 09 November 2017 - 09:30 PM

Updates on the extension of Maginber Ransomware following : 

 ihsdj & .kgpvwnr, madrcby / jdakuzbrk / ymdmf / vbdrj / fprgpk / iupgujqm / skvtb / Ihjjnetmm  

 

list of extension will be updated in my convenience 



#8 kku3472

kku3472

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 12 January 2018 - 10:23 AM

Mr. Abrams, I have been infected by a new variant of Magniber Ransomware with the IV of NDPFh96kPk337905, and the extension being "ueyznir".

How and where may I get help for this?

 

P.S: Some encrypted files are downloadable via that link below; hope this helps.

 

https://drive.google.com/drive/folders/1gqA-LCPz-GU56sagYAFEUgIIs043_xX-?usp=sharing



#9 Whtkdgud

Whtkdgud

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 12 January 2018 - 10:43 AM

I'm not exactly sure if the ransomware I got is Magniber, as my ransom note is named READ_FOR_DECRYPT.txt

and encrypted file's extensions are .ueyznir and .aufekxs. But 'ID Ransomware' says that the ransomware I got is Magniber and ransom note I got is exactly the same with Magniber's. Also, webpage linked to txt file looks the exact same too.

 

Btw it seems that the file extension is decided randomly.

Btw2 I'm from south Korea


Edited by Whtkdgud, 12 January 2018 - 10:44 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:48 AM

Posted 12 January 2018 - 11:26 AM

Previously it was reported by Grinler (Lawrence Abrams) with two different extensions (.ihsdj & .kgpvwnr) being used depending on the executable that was analyzed and that the extension can be changed with each distribution campaign or affiliate as explained here. Later it was reported with the following random extensions and ransom notes named READ_ME_FOR_DECRYPT.txt, READ_FOR_DECRYPT.txt...see here.

.skvtb
.madrcby
.jdakuzbrk
.ymdmf
.vbdrj
.fprgpk
.iupgujqm
.Ihjjnetmm
.vpgvlkb
.dlenggrl
.xhspythxn
.dwbiwty
.fbuvkngy
.dxjay
.wmfxdqz

Since the extensions have been random you may be dealing with a new variant especially since you have the READ_FOR_DECRYPT.txt ransom note .


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:48 PM

Posted 12 January 2018 - 02:53 PM

Magniber uses the extension's pattern: .<random{5-9}>

This is 5, 6, 7, 8, 9 characters after the dot.

 

Probably, enumerate all possible, detected and undetected extensions does not make sense.

 

The notes were as follows:
_HOW_TO_DECRYPT_MY_FILES_<victim_id>_.txt
READ_ME_FOR_DECRYPT_<victim_id>_.txt
READ_ME_FOR_DECRYPT.txt
 
Now it's a note:
READ_FOR_DECRYPT.txt

Edited by Amigo-A, 12 January 2018 - 03:12 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#12 times2345

times2345

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 18 July 2018 - 03:05 PM

My files are infected with Magniber identified by ID Ransomware. File extension is iagzgluc (this value also appears at the end of the addresses in the ransom note). The note is named as README.txt.
I'm not in South Korea and not using Korean on my machine.
Some encrypted files are in https://drive.google.com/drive/mobile/folders/1IPOTfutddP1lTXWvjI0Vucu7wz0-fdO6
Can anyone help? Thanks.!

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:48 AM

Posted 18 July 2018 - 05:19 PM

I am not aware of any recent updates indicating newer variants are decryptable. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus and untrustworthy removal/decryption guides.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:48 PM

Posted 19 July 2018 - 01:50 AM

times2345
 
A pattern of extension used by Magniber Ransomware: .<random{5-9}>
This is from 5 to 9 characters (letters) after the point.
 
This malicious campaign has already switched to other neighboring countries, including China, its neighbors and users with the Chinese version of Windows.  Unfortunately...
 
At the moment there are no public decryptors (decoders), but the previous experience AhnLab allows us to hope that they will appear through a some time.

Edited by Amigo-A, 19 July 2018 - 01:56 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#15 bc032679

bc032679

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 20 October 2018 - 06:34 AM

I'm not exactly sure if the ransomware I got is Magniber, as my ransom note is named readme.txt
and encrypted file's extensions are .rlfrht. But 'ID Ransomware' says that the ransomware I got is Magniber and ransom note I got is exactly the same with Magniber's. Also, webpage linked to txt file looks the exact same too.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users