Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Magniber Ransomware Help Topic (READ_ME_FOR_DECRYPT_[id].txt & My Deccryptor)


  • Please log in to reply
6 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 PM

Posted 18 October 2017 - 01:35 PM

This topic is for help and support regarding the Magniber Ransomware. This ransomware is currently targeting South Korea victims and will encrypt a victim's data and append an extension to it.

Currently the known extensions are: .ihsdj & .kgpvwnr

The TOR payment site for Magniber is called "My Decryptor".

text-ransom-note.jpg



BC AdBot (Login to Remove)

 


m

#2 samwiseOrgin

samwiseOrgin

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 19 October 2017 - 12:35 AM

As a South Korean, I am triggered now! 

My colleague was hit by CRBR prob v5 or v6 which i am aware there's no decryption  method. 

 

2 questions. 

1. By the ransom note of your Original article states that Victim ID is the subdomain of tor browser. 

does "oc77-----" your ID when testing this ransomware?

2. Refer to my comment on the original article,

"So are you saying now Cerber has two successor? 

Cerber - Crbr
Cerber - Magniber


or is crbr simply another name of cerber as of version3?"


Edited by samwiseOrgin, 19 October 2017 - 12:36 AM.


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 PM

Posted 19 October 2017 - 10:01 AM

Crbr was just a rename of Cerber. Otherwise the same infection.

Magniber is a different ransomware infection that utilizes the same payment site and distribution methods. Cerber seems to have halted or severely minimized distribution to the point that its not really active anymore.

#4 samwiseOrgin

samwiseOrgin

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 19 October 2017 - 07:51 PM

Mr. Abrams please refer to my comment in your article.  I dont know if this goes for all ransomware, but all of Magniber victims shows the symptom of window notification saying "Not able to find ihsdj.exe..... kgpvwnr.exe... or fprgbk.exe in Temp folder."

Pictures to follow (Be advised, all in Korean lanuage. I will highlight the significance with blue marks)


Edited by samwiseOrgin, 19 October 2017 - 10:02 PM.


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 PM

Posted 21 October 2017 - 04:22 PM

Most likely caused by the autorun not being deleted, while the ransomware executable is.

#6 samwiseOrgin

samwiseOrgin

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 22 October 2017 - 09:13 PM

Thanks to the article, I am aware that victims who uses Non-Korean IP address can have decryptor 

 

No luck for victims who uses Korean IP adress? 



#7 samwiseOrgin

samwiseOrgin

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 09 November 2017 - 09:30 PM

Updates on the extension of Maginber Ransomware following : 

 ihsdj & .kgpvwnr, madrcby / jdakuzbrk / ymdmf / vbdrj / fprgpk / iupgujqm / skvtb / Ihjjnetmm  

 

list of extension will be updated in my convenience 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users