Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.

Magniber was first discovered by security researcher Michael Gillespie when he saw victims uploading encrypted files and ransom notes to his ID-Ransomware site. Then, on October 16th, security researchers KafeineJoseph Chen, and malc0de discovered that the Magnitude exploit kit, which was previously the last distributor of Cerber, had begun to distribute a new ransomware that was specifically targeting South Korean victims.

Thus Magniber (Magnitude+Cerber) was born.

The good news is that this ransomware may be decryptable, so do not pay the ransomware without contacting us first. For anyone who is infected with this ransomware or wants to discuss the infection, we have a dedicated Magniber Ransom Support & Help Topic topic.

Many people, including myself, have analyzed this ransomware. I would like to thank Fabian WosarJackJoseph ChenKafeinemalc0de, & Michael Gillespie for their contributions to this article.

Magniber distributed via exploit kits

Kafeine and Joseph Chen discovered that Magniber is being distributed through malvertisements displayed by the Magnitude exploit kit that are specifically tageting users from South Korea. In a report by Trend Micro, fraud researcher Joseph Chen explains how the Magnitude exploit kit is currently focusing on victims in South Korea.

Magnitude Exploit Kit Installing Magniber
Magnitude Exploit Kit Installing Magniber
Source: Trend Micro

Using malvertisements on web sites owned by the attackers, the exploit kit attempts to use a vulnerability in Internet Explorer to install the Magniber Ransomware. This is why it is so important for all users to make sure they install available security updates for programs that they have installed on their computer.

Magniber the succesor to Cerber?

While victims are still submitting reports to ID-Ransomware, since mid September, Cerber has almost gone silent with no major distribution campaigns underway. Kafeine then noted that the Magnitude exploit kit was the last distributor that he knew of for Cerber, which had also stopped distribution in September as well.

Suddenly, Magnitude, the last known distributor of Cerber, begins to distribute another ransomware that has the exact same payment site as Cerber.  While this does not mean that Magniber shares the same code base, which I do not believe it does, it may be possible that the payment system was migrated to Magniber.

Cerber Decryptor
Cerber Decryptor
My Decryptor Home Page Part 2
Magniber Decryptor

Unique payment site identification

A unique feature of the Magniber ransomware is how a user logs into the TOR payment site. Usually a ransomware will create a unique victim ID for a victim when the ransomware is first run. This victim ID, is then added to the ransom note and a victim must use it to login to their dedicated payment page on the TOR site.

Magniber does it a bit differently. Instead of having a victim login in with the id, they use the id as a subdomain on the TOR site. For example, a ransom note may contain the http://ava10ib3t21s1xfc4p6.bankme.date/ link to the TOR payment site. In that URL, the ava10ib3t21s1xfc4p6 subdomain is the victim's ID.

Victim ID as a Subdomain
Victim ID as a Subdomain

The Magniber encryption process

When first run, malc0de discovered that Magniber checks the language used when Windows was installed. If it is not Korean, it will terminate the process and not encrypt the computer. On the other hand, if it is Korean, it will generate a unique victim ID that will be used in the ransom notes and when accessing the TOR payment site as described above

The ransomware will then begin encrypting the data on the computer by searching for file types that have certain file extensions. The current list of targeted extensions are listed at the end of this article.

When it encounters a targeted file type, it will encrypt the file and append an extension to the encrypted file's name. We have seen two different extensions being used depending on the executable that was analyzed, so it may be changed with each distribution campaign or affiliate. At this time, we have see both the .ihsdj & .kgpvwnr extensions being used.

Encrypted Folder
Encrypted Folder

When searching for files to encrypt, Magniber will skip files whose path contains the following strings:

:\$recycle.bin\
:\$windows.~bt\
:\boot\
:\documents and settings\all users\
:\documents and settings\default user\
:\documents and settings\localservice\
:\documents and settings\networkservice\
:\program files\
:\program files (x86)\
:\programdata\
:\recovery\
:\recycler\
:\users\all users\
:\windows\
:\windows.old\
\appdata\local\
\appdata\locallow\
\appdata\roaming\adobe\flash player\
\appData\roaming\apple computer\safari\
\appdata\roaming\ati\
\appdata\roaming\intel\
\appdata\roaming\intel corporation\
\appdata\roaming\google\
\appdata\roaming\macromedia\flash player\
\appdata\roaming\mozilla\
\appdata\roaming\nvidia\
\appdata\roaming\opera\
\appdata\roaming\opera software\
\appdata\roaming\microsoft\internet explorer\
\appdata\roaming\microsoft\windows\
\application data\microsoft\
\local settings\
\public\music\sample music\
\public\pictures\sample pictures\
\public\videos\sample videos\
\tor browser\

While encrypting the computer, Magniber will create a ransom note named READ_ME_FOR_DECRYPT_[id].txt in each folder that a file is encrypted. 

Text Ransom Note
Text Ransom Note

These ransom notes contain instructions on what has happened to your data and links to a TOR decryption service where a victim can find out the ransom amount and payment instructions. As already stated, the subdomain of the URLs in the ransom note are the victim's actual ID and the string at the end, for example EP866p5M93wDS513 in the image above, may be an affiliate ID.

More information about the payment site can be found in the next section.

Magniber's My Decryptor Payment Site

In Magniber's ransom note are links to the main TOR payment called My Decryptor that is located at the TOR url [victim_id].ofotqrmsrdc6c3rz.onion. This site will provide information on the ransom amount, the bitcoin address payments must be made, and information on how to purchase bitcoins. If the subdomain, or victim ID, of the URL is changed, the site will think its for another victim and change the bitcoin address.

My Decryptor Home Page Part 1 ​
My Decryptor Home Page Part 1
My Decryptor Home Page Part 2
My Decryptor Home Page Part 2

Once a victim makes a payment to the listed bitcoin address, their payment will be shown in the Payments section of the decryptor page.  After a certain amount of bitcoin transaction confirmations, this page will then provide a download link for the victim's unique decryptor. The current ransom amount is .2 bitcoins, which doubles after five days.

Also included on the site is a Support page that allows a victim to communicate with the ransomware developer.

My Decryptor Support Page
My Decryptor Support Page

Last, but not least, there is a page that allows you to decrypt one file for free to prove that they can do so. It is not known whether this free decryption works or not.

Free File Decryption Page
Free File Decryption Page

As already stated, there is a possibility that this ransomware can be decrypted, so do not pay the ransom without checking with us first. For anyone who is infected with this ransomware or wants to discuss the infection, we have a dedicated support topic here: Magniber Ransomware Support & Help Topic.

How to protect yourself from the Magniber Ransomware

In order to protect yourself from Magniber, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that contains behavioral detections such as Emsisoft Anti-MalwareMalwarebytes, or HitmanPro.Alert.

Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

IOCs

Hashes

SHA256: 2e6f9a48d854add9f895a3737fa5fcc9d38d082466765e550cca2dc47a10618e

Files associated with the Magniber Ransomware

%Temp%\[extension].exe
%Temp%\[victim_id].[extension]
READ_ME_FOR_DECRYPT_[victim_id]_.txt

Network Communication:

ofotqrmsrdc6c3rz.onion [Payment Site]
[victim_id].bankme.date [C2]
[victim_id].jobsnot.services [C2]
[victim_id].carefit.agency [C2]
[victim_id].hotdisk.world [C2]

Magniber Ransom Note:

 ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED!
 ====================================================================================================
 Your files are NOT damaged! Your files are modified only. This modification is reversible.

 The only 1 way to decrypt your files is to receive the private key and decryption program.

 Any attempts to restore your files with the third-party software will be fatal for your files!
 ====================================================================================================
 To receive the private key and decryption program follow the instructions below:

 1. Download "Tor Browser" from https://www.torproject.org/ and install it.

 2. In the "Tor Browser" open your personal page here:


 http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513


 Note! This page is available via "Tor Browser" only.
 ====================================================================================================
 Also you can use temporary addresses on your personal page without using "Tor Browser":


 http://[victim_id].bankme.date/EP866p5M93wDS513

 http://[victim_id].jobsnot.services/EP866p5M93wDS513

 http://[victim_id].carefit.agency/EP866p5M93wDS513

 http://[victim_id].hotdisk.world/EP866p5M93wDS513


 Note! These are temporary addresses! They will be available for a limited amount of time!

Targeted File Extensions:

doc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, em, vsd, vsdx, csv, rtf, 123, wks, wk1, pdf, dwg, onetoc2, snt, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, vdi, vmx, gpg, aes, raw, cgm, nef, psd, ai, svg, djvu, sh, class, jar, java, rb, asp, php, jsp, brd, sch, dch, dip, p, vb, vbs, ps1, js, asm, h, pas, cpp, c, cs, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, db, mdb, accdb, sq, sqlitedb, sqlite3, asc, lay6, lay, mm, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, der, 1cd, cd, arw, jpe, eq, adp, odm, dbc, frx, db2, dbs, pds, pdt, dt, cf, cfu, mx, epf, kdbx, erf, vrp, grs, geo, st, pff, mft, efd, rib, ma, lwo, lws, m3d, mb, obj, x, x3d, c4d, fbx, dgn, 4db, 4d, 4mp, abs, adn, a3d, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, cdb, ckp, clkw, cma, crd, dad, daf, db3, dbk, dbt, dbv, dbx, dcb, dct, dcx, dd, df1, dmo, dnc, dp1, dqy, dsk, dsn, dta, dtsx, dx, eco, ecx, emd, fcd, fic, fid, fi, fm5, fo, fp3, fp4, fp5, fp7, fpt, fzb, fzv, gdb, gwi, hdb, his, ib, idc, ihx, itdb, itw, jtx, kdb, lgc, maq, mdn, mdt, mrg, mud, mwb, s3m, ndf, ns2, ns3, ns4, nsf, nv2, nyf, oce, oqy, ora, orx, owc, owg, oyx, p96, p97, pan, pdb, pdm, phm, pnz, pth, pwa, qpx, qry, qvd, rctd, rdb, rpd, rsd, sbf, sdb, sdf, spq, sqb, stp, str, tcx, tdt, te, tmd, trm, udb, usr, v12, vdb, vpd, wdb, wmdb, xdb, xld, xlgc, zdb, zdc, cdr, cdr3, abw, act, aim, ans, apt, ase, aty, awp, awt, aww, bad, bbs, bdp, bdr, bean, bna, boc, btd, cnm, crw, cyi, dca, dgs, diz, dne, docz, dsv, dvi, dx, eio, eit, emlx, epp, err, etf, etx, euc, faq, fb2, fb, fcf, fdf, fdr, fds, fdt, fdx, fdxt, fes, fft, flr, fodt, gtp, frt, fwdn, fxc, gdoc, gio, gpn, gsd, gthr, gv, hbk, hht, hs, htc, hz, idx, ii, ipf, jis, joe, jp1, jrtf, kes, klg, knt, kon, kwd, lbt, lis, lit, lnt, lp2, lrc, lst, ltr, ltx, lue, luf, lwp, lyt, lyx, man, map, mbox, me, mel, min, mnt, mwp, nfo, njx, now, nzb, ocr, odo, of, oft, ort, p7s, pfs, pjt, prt, psw, pu, pvj, pvm, pwi, pwr, qd, rad, rft, ris, rng, rpt, rst, rt, rtd, rtx, run, rzk, rzn, saf, sam, scc, scm, sct, scw, sdm, sdoc, sdw, sgm, sig, sla, sls, smf, sms, ssa, sty, sub, sxg, tab, tdf, tex, text, thp, tlb, tm, tmv, tmx, tpc, tvj, u3d, u3i, unx, uof, upd, utf8, utxt, vct, vnt, vw, wbk, wcf, wgz, wn, wp, wp4, wp5, wp6, wp7, wpa, wpd, wp, wps, wpt, wpw, wri, wsc, wsd, wsh, wtx, xd, xlf, xps, xwp, xy3, xyp, xyw, ybk, ym, zabw, zw, abm, afx, agif, agp, aic, albm, apd, apm, apng, aps, apx, art, asw, bay, bm2, bmx, brk, brn, brt, bss, bti, c4, ca, cals, can, cd5, cdc, cdg, cimg, cin, cit, colz, cpc, cpd, cpg, cps, cpx, cr2, ct, dc2, dcr, dds, dgt, dib, djv, dm3, dmi, vue, dpx, wire, drz, dt2, dtw, dv, ecw, eip, exr, fa, fax, fpos, fpx, g3, gcdp, gfb, gfie, ggr, gih, gim, spr, scad, gpd, gro, grob, hdp, hdr, hpi, i3d, icn, icon, icpr, iiq, info, ipx, itc2, iwi, j, j2c, j2k, jas, jb2, jbig, jbmp, jbr, jfif, jia, jng, jp2, jpg2, jps, jpx, jtf, jw, jxr, kdc, kdi, kdk, kic, kpg, lbm, ljp, mac, mbm, mef, mnr, mos, mpf, mpo, mrxs, my, ncr, nct, nlm, nrw, oc3, oc4, oc5, oci, omf, oplc, af2, af3, asy, cdmm, cdmt, cdmz, cdt, cmx, cnv, csy, cv5, cvg, cvi, cvs, cvx, cwt, cxf, dcs, ded, dhs, dpp, drw, dxb, dxf, egc, emf, ep, eps, epsf, fh10, fh11, fh3, fh4, fh5, fh6, fh7, fh8, fif, fig, fmv, ft10, ft11, ft7, ft8, ft9, ftn, fxg, gem, glox, hpg, hpg, hp, idea, igt, igx, imd, ink, lmk, mgcb, mgmf, mgmt, mt9, mgmx, mgtx, mmat, mat, ovp, ovr, pcs, pfv, plt, vrm, pobj, psid, rd, scv, sk1, sk2, ssk, stn, svf, svgz, tlc, tne, ufr, vbr, vec, vm, vsdm, vstm, stm, vstx, wpg, vsm, xar, ya, orf, ota, oti, ozb, ozj, ozt, pa, pano, pap, pbm, pc1, pc2, pc3, pcd, pdd, pe4, pef, pfi, pgf, pgm, pi1, pi2, pi3, pic, pict, pix, pjpg, pm, pmg, pni, pnm, pntg, pop, pp4, pp5, ppm, prw, psdx, pse, psp, ptg, ptx, pvr, px, pxr, pz3, pza, pzp, pzs, z3d, qmg, ras, rcu, rgb, rgf, ric, riff, rix, rle, rli, rpf, rri, rs, rsb, rsr, rw2, rw, s2mv, sci, sep, sfc, sfw, skm, sld, sob, spa, spe, sph, spj, spp, sr2, srw, wallet, jpeg, jpg, vmdk, arc, paq, bz2, tbk, bak, tar, tgz, gz, 7z, rar, zip, backup, iso, vcd, bmp, png, gif, tif, tiff, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3