Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.
Magniber was first discovered by security researcher Michael Gillespie when he saw victims uploading encrypted files and ransom notes to his ID-Ransomware site. Then, on October 16th, security researchers Kafeine, Joseph Chen, and malc0de discovered that the Magnitude exploit kit, which was previously the last distributor of Cerber, had begun to distribute a new ransomware that was specifically targeting South Korean victims.
Thus Magniber (Magnitude+Cerber) was born.
The good news is that this ransomware may be decryptable, so do not pay the ransomware without contacting us first. For anyone who is infected with this ransomware or wants to discuss the infection, we have a dedicated Magniber Ransom Support & Help Topic topic.
Kafeine and Joseph Chen discovered that Magniber is being distributed through malvertisements displayed by the Magnitude exploit kit that are specifically tageting users from South Korea. In a report by Trend Micro, fraud researcher Joseph Chen explains how the Magnitude exploit kit is currently focusing on victims in South Korea.
Using malvertisements on web sites owned by the attackers, the exploit kit attempts to use a vulnerability in Internet Explorer to install the Magniber Ransomware. This is why it is so important for all users to make sure they install available security updates for programs that they have installed on their computer.
While victims are still submitting reports to ID-Ransomware, since mid September, Cerber has almost gone silent with no major distribution campaigns underway. Kafeine then noted that the Magnitude exploit kit was the last distributor that he knew of for Cerber, which had also stopped distribution in September as well.
Suddenly, Magnitude, the last known distributor of Cerber, begins to distribute another ransomware that has the exact same payment site as Cerber. While this does not mean that Magniber shares the same code base, which I do not believe it does, it may be possible that the payment system was migrated to Magniber.
A unique feature of the Magniber ransomware is how a user logs into the TOR payment site. Usually a ransomware will create a unique victim ID for a victim when the ransomware is first run. This victim ID, is then added to the ransom note and a victim must use it to login to their dedicated payment page on the TOR site.
Magniber does it a bit differently. Instead of having a victim login in with the id, they use the id as a subdomain on the TOR site. For example, a ransom note may contain the http://ava10ib3t21s1xfc4p6.bankme.date/ link to the TOR payment site. In that URL, the ava10ib3t21s1xfc4p6 subdomain is the victim's ID.
When first run, malc0de discovered that Magniber checks the language used when Windows was installed. If it is not Korean, it will terminate the process and not encrypt the computer. On the other hand, if it is Korean, it will generate a unique victim ID that will be used in the ransom notes and when accessing the TOR payment site as described above
The ransomware will then begin encrypting the data on the computer by searching for file types that have certain file extensions. The current list of targeted extensions are listed at the end of this article.
When it encounters a targeted file type, it will encrypt the file and append an extension to the encrypted file's name. We have seen two different extensions being used depending on the executable that was analyzed, so it may be changed with each distribution campaign or affiliate. At this time, we have see both the .ihsdj & .kgpvwnr extensions being used.
When searching for files to encrypt, Magniber will skip files whose path contains the following strings:
:\$recycle.bin\ :\$windows.~bt\ :\boot\ :\documents and settings\all users\ :\documents and settings\default user\ :\documents and settings\localservice\ :\documents and settings\networkservice\ :\program files\ :\program files (x86)\ :\programdata\ :\recovery\ :\recycler\ :\users\all users\ :\windows\ :\windows.old\ \appdata\local\ \appdata\locallow\ \appdata\roaming\adobe\flash player\ \appData\roaming\apple computer\safari\ \appdata\roaming\ati\ \appdata\roaming\intel\ \appdata\roaming\intel corporation\ \appdata\roaming\google\ \appdata\roaming\macromedia\flash player\ \appdata\roaming\mozilla\ \appdata\roaming\nvidia\ \appdata\roaming\opera\ \appdata\roaming\opera software\ \appdata\roaming\microsoft\internet explorer\ \appdata\roaming\microsoft\windows\ \application data\microsoft\ \local settings\ \public\music\sample music\ \public\pictures\sample pictures\ \public\videos\sample videos\ \tor browser\
While encrypting the computer, Magniber will create a ransom note named READ_ME_FOR_DECRYPT_[id].txt in each folder that a file is encrypted.
These ransom notes contain instructions on what has happened to your data and links to a TOR decryption service where a victim can find out the ransom amount and payment instructions. As already stated, the subdomain of the URLs in the ransom note are the victim's actual ID and the string at the end, for example EP866p5M93wDS513 in the image above, may be an affiliate ID.
More information about the payment site can be found in the next section.
In Magniber's ransom note are links to the main TOR payment called My Decryptor that is located at the TOR url [victim_id].ofotqrmsrdc6c3rz.onion. This site will provide information on the ransom amount, the bitcoin address payments must be made, and information on how to purchase bitcoins. If the subdomain, or victim ID, of the URL is changed, the site will think its for another victim and change the bitcoin address.
Once a victim makes a payment to the listed bitcoin address, their payment will be shown in the Payments section of the decryptor page. After a certain amount of bitcoin transaction confirmations, this page will then provide a download link for the victim's unique decryptor. The current ransom amount is .2 bitcoins, which doubles after five days.
Also included on the site is a Support page that allows a victim to communicate with the ransomware developer.
Last, but not least, there is a page that allows you to decrypt one file for free to prove that they can do so. It is not known whether this free decryption works or not.
As already stated, there is a possibility that this ransomware can be decrypted, so do not pay the ransom without checking with us first. For anyone who is infected with this ransomware or wants to discuss the infection, we have a dedicated support topic here: Magniber Ransomware Support & Help Topic.
In order to protect yourself from Magniber, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
%Temp%\[extension].exe %Temp%\[victim_id].[extension] READ_ME_FOR_DECRYPT_[victim_id]_.txt
ofotqrmsrdc6c3rz.onion [Payment Site] [victim_id].bankme.date [C2] [victim_id].jobsnot.services [C2] [victim_id].carefit.agency [C2] [victim_id].hotdisk.world [C2]
ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third-party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513 Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://[victim_id].bankme.date/EP866p5M93wDS513 http://[victim_id].jobsnot.services/EP866p5M93wDS513 http://[victim_id].carefit.agency/EP866p5M93wDS513 http://[victim_id].hotdisk.world/EP866p5M93wDS513 Note! These are temporary addresses! They will be available for a limited amount of time!
Targeted File Extensions:
doc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, em, vsd, vsdx, csv, rtf, 123, wks, wk1, pdf, dwg, onetoc2, snt, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, vdi, vmx, gpg, aes, raw, cgm, nef, psd, ai, svg, djvu, sh, class, jar, java, rb, asp, php, jsp, brd, sch, dch, dip, p, vb, vbs, ps1, js, asm, h, pas, cpp, c, cs, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, db, mdb, accdb, sq, sqlitedb, sqlite3, asc, lay6, lay, mm, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, der, 1cd, cd, arw, jpe, eq, adp, odm, dbc, frx, db2, dbs, pds, pdt, dt, cf, cfu, mx, epf, kdbx, erf, vrp, grs, geo, st, pff, mft, efd, rib, ma, lwo, lws, m3d, mb, obj, x, x3d, c4d, fbx, dgn, 4db, 4d, 4mp, abs, adn, a3d, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, cdb, ckp, clkw, cma, crd, dad, daf, db3, dbk, dbt, dbv, dbx, dcb, dct, dcx, dd, df1, dmo, dnc, dp1, dqy, dsk, dsn, dta, dtsx, dx, eco, ecx, emd, fcd, fic, fid, fi, fm5, fo, fp3, fp4, fp5, fp7, fpt, fzb, fzv, gdb, gwi, hdb, his, ib, idc, ihx, itdb, itw, jtx, kdb, lgc, maq, mdn, mdt, mrg, mud, mwb, s3m, ndf, ns2, ns3, ns4, nsf, nv2, nyf, oce, oqy, ora, orx, owc, owg, oyx, p96, p97, pan, pdb, pdm, phm, pnz, pth, pwa, qpx, qry, qvd, rctd, rdb, rpd, rsd, sbf, sdb, sdf, spq, sqb, stp, str, tcx, tdt, te, tmd, trm, udb, usr, v12, vdb, vpd, wdb, wmdb, xdb, xld, xlgc, zdb, zdc, cdr, cdr3, abw, act, aim, ans, apt, ase, aty, awp, awt, aww, bad, bbs, bdp, bdr, bean, bna, boc, btd, cnm, crw, cyi, dca, dgs, diz, dne, docz, dsv, dvi, dx, eio, eit, emlx, epp, err, etf, etx, euc, faq, fb2, fb, fcf, fdf, fdr, fds, fdt, fdx, fdxt, fes, fft, flr, fodt, gtp, frt, fwdn, fxc, gdoc, gio, gpn, gsd, gthr, gv, hbk, hht, hs, htc, hz, idx, ii, ipf, jis, joe, jp1, jrtf, kes, klg, knt, kon, kwd, lbt, lis, lit, lnt, lp2, lrc, lst, ltr, ltx, lue, luf, lwp, lyt, lyx, man, map, mbox, me, mel, min, mnt, mwp, nfo, njx, now, nzb, ocr, odo, of, oft, ort, p7s, pfs, pjt, prt, psw, pu, pvj, pvm, pwi, pwr, qd, rad, rft, ris, rng, rpt, rst, rt, rtd, rtx, run, rzk, rzn, saf, sam, scc, scm, sct, scw, sdm, sdoc, sdw, sgm, sig, sla, sls, smf, sms, ssa, sty, sub, sxg, tab, tdf, tex, text, thp, tlb, tm, tmv, tmx, tpc, tvj, u3d, u3i, unx, uof, upd, utf8, utxt, vct, vnt, vw, wbk, wcf, wgz, wn, wp, wp4, wp5, wp6, wp7, wpa, wpd, wp, wps, wpt, wpw, wri, wsc, wsd, wsh, wtx, xd, xlf, xps, xwp, xy3, xyp, xyw, ybk, ym, zabw, zw, abm, afx, agif, agp, aic, albm, apd, apm, apng, aps, apx, art, asw, bay, bm2, bmx, brk, brn, brt, bss, bti, c4, ca, cals, can, cd5, cdc, cdg, cimg, cin, cit, colz, cpc, cpd, cpg, cps, cpx, cr2, ct, dc2, dcr, dds, dgt, dib, djv, dm3, dmi, vue, dpx, wire, drz, dt2, dtw, dv, ecw, eip, exr, fa, fax, fpos, fpx, g3, gcdp, gfb, gfie, ggr, gih, gim, spr, scad, gpd, gro, grob, hdp, hdr, hpi, i3d, icn, icon, icpr, iiq, info, ipx, itc2, iwi, j, j2c, j2k, jas, jb2, jbig, jbmp, jbr, jfif, jia, jng, jp2, jpg2, jps, jpx, jtf, jw, jxr, kdc, kdi, kdk, kic, kpg, lbm, ljp, mac, mbm, mef, mnr, mos, mpf, mpo, mrxs, my, ncr, nct, nlm, nrw, oc3, oc4, oc5, oci, omf, oplc, af2, af3, asy, cdmm, cdmt, cdmz, cdt, cmx, cnv, csy, cv5, cvg, cvi, cvs, cvx, cwt, cxf, dcs, ded, dhs, dpp, drw, dxb, dxf, egc, emf, ep, eps, epsf, fh10, fh11, fh3, fh4, fh5, fh6, fh7, fh8, fif, fig, fmv, ft10, ft11, ft7, ft8, ft9, ftn, fxg, gem, glox, hpg, hpg, hp, idea, igt, igx, imd, ink, lmk, mgcb, mgmf, mgmt, mt9, mgmx, mgtx, mmat, mat, ovp, ovr, pcs, pfv, plt, vrm, pobj, psid, rd, scv, sk1, sk2, ssk, stn, svf, svgz, tlc, tne, ufr, vbr, vec, vm, vsdm, vstm, stm, vstx, wpg, vsm, xar, ya, orf, ota, oti, ozb, ozj, ozt, pa, pano, pap, pbm, pc1, pc2, pc3, pcd, pdd, pe4, pef, pfi, pgf, pgm, pi1, pi2, pi3, pic, pict, pix, pjpg, pm, pmg, pni, pnm, pntg, pop, pp4, pp5, ppm, prw, psdx, pse, psp, ptg, ptx, pvr, px, pxr, pz3, pza, pzp, pzs, z3d, qmg, ras, rcu, rgb, rgf, ric, riff, rix, rle, rli, rpf, rri, rs, rsb, rsr, rw2, rw, s2mv, sci, sep, sfc, sfw, skm, sld, sob, spa, spe, sph, spj, spp, sr2, srw, wallet, jpeg, jpg, vmdk, arc, paq, bz2, tbk, bak, tar, tgz, gz, 7z, rar, zip, backup, iso, vcd, bmp, png, gif, tif, tiff, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3