Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2020

How to remove Magniber ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Alice Woods · Likes to teach users about virus prevention

Magniber – a dangerous ransomware virus which returns with the stronger version to infect Korean PC users

The image reflecting Magniber payment site

Magniber is dangerous crypto-virus that first showed up in October 2017. Its name originates from two words: Magnitude (ransomware was spread using Magnitude exploit kit) and Cerber. Malware uses AES-128 to lock up data and ads file extension consisting of 5 to 9 letters. It then demands a ransom of 0.2 BTC, which later doubles to 0.4 BTC. Although South Korean cybersecurity researchers managed to create a decryptor for most variants of Magniber virus, it came back stronger in July 2018 with updated obfuscation techniques. While it was targeting Korean users exclusively, its spectrum has been expanded with the ability to encrypt files of Chinese and Malaysian victims. The ransomware adds .dyaaghemy file extension and, at the time of the writing, is not decryptable.

SUMMARY
Name Magniber ransowmare
Type Crypto-virus
Associated with Cerber virus
Exploit used Magnitude exploit kit
Demanded ransom 0.2 BTC; 0.4BTC in five days
Extensions used

.fprgbk; .ihsdj; .kgpvwnr; .vbdrj; .skvtb; .vpgvlkb; .dlenggrl; .dxjay; .fbuvkngy; .xhspythxn; .demffue; .mftzmxqo; .qmdjtc; .wmfxdqz; .ndpyhss, .dyaaghemy

Symtoms Encrypted files
Distribution CVE-2016-0189 vulnerability in Internet Explorer
Elimination Download and install FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. Reboot PC in safe mode
Decryption Available here (newest versions)and
GitHub Gist · evilsocket
View on GitHub →

Magniber cyber threat was noticed spreading via Magnitude exploit kit. This exploit kit has been used by Cerber virus. However, it’s not the only similarity to the infamous ransomware.[1].

Originally, the crypto-virus targeted South Korean computer users only. However, it is now been spotted in other Asian countries – China and Malaysia. Interestingly, the malware terminates itself (by deleting its ping.exe[2] executable file) if it detects other than the Korean, Chinese or Malaysian language.

Magniber - the deadly virus

The malware is using AES cipher. Before the end of March 2018, it was almost impossible to decrypt files without AES key. However, South Korean cybersecurity experts managed to crack the code for most of the Magniber ransomware versions.

This fact sparks suspicion that North Korean hackers might have created the malware. Such an assumption is not baseless taking into account the cyber capabilities of this country[3] However, this theory still needs evidence.

Magniber ransomware is designed to encrypt files and demand to pay the ransom. Malware has been updated several times and the latest updates were spotted in June 2018.[4] This version adds .ndpyhss file extension and drops a ransom note README.txt.

Each of the new variant appends different file extension. Currently, malware locks files with these suffixes:

  • .fprgbk;
  • .ihsdj;
  • .kgpvwnr;
  • .vbdrj[5];
  • .skvtb;
  • .vpgvlkb;
  • .dlenggrl;
  • .dxjay;
  • .fbuvkngy;
  • .xhspythxn;
  • .demffue;
  • .mftzmxqo;
  • .qmdjtc;
  • .wmfxdqz;
  • .ndpyhss

After data encryption, malware offers to buy My Decryptor to restore corrupted files. At the moment, it costs 0.2 bitcoins ($1140). It will double to 0.4 after five days. Do not remit the payment as the malware is decryptable. Instead, concentrate on Magniber removal. FortectIntego or MalwarebytesMalwarebytes is a reliable security software that can help in a quick malware elimination.

The sample of Magniber trojan names

Previous attempts to crack the malicious code

Simone “evilsocket” Margaritelli, the researcher for mobile security company Zimperium, managed to create a

GitHub Gist · evilsocket
View on GitHub →
that might help to restore files after the Magniber attack. However, in order to use it, victims have to know the AES key.

According to the researcher, the decryptor should work if victims were infected from a non-Korean IP address or they cannot connect to Command & Control (C&C) server. These people should know the hardcoded key and IV which should be included in the ransomware’s code.

A South Korea-based security expert team released new decryptors

At the end of March 2018, security researchers from AhnLab released multiple decryptors for different types of Magniber virus. The recovery tool functions based on an encryption bug that was left out by hackers.

Below you can see the table showing which versions of Magniber ransomware can be now decrypted:

Decrypter release date Recoverable file extension Victim Key Magniber payment site vector  Download Link
 3/30  kympzmzw  Jg5jU6J89CUf9C55  i9w97ywz50w59RQY MagniberDecrypt.zip
 3/30  owxpzylj  u4p819wh1464r6J9  mbfRHUlbKJJ7024P MagniberDecrypt.zip
 3/30  prueitfik  EV8n879gAC6080r6  Z123yA89q3m063V9 MagniberDecrypt.zip
 3/31 rwighmoz   BF16W5aDYzi751NB  B33hQK9E6Sc7P69B MagniberDecrypt.zip
 3/31  bnxzoucsx  E88SzQ33TRi0P9g6  Bo3AIJyWc7iuOp91 MagniberDecrypt.zip
 3/31  tzdbkjry n9p2n9Io32Br75pN  ir922Y7f83bb7G12  MagniberDecrypt.zip
 4/1  iuoqetgb  QEsN9KZXSp61P956 lM174P1e6J24bZt1  MagniberDecrypt.zip
 4/1 pgvuuryti   KHp4217jeDx019Uk  A4pTQ6886b401JR5 MagniberDecrypt.zip
 4/2  zpnjelt  LyAAS6Ovr647GO65  nS3A41k9pccn03J2 MagniberDecrypt.zip
 4/2  gnhnzhu  I0727788KuT5kAqL  sCnHApaa61l5U2R0 MagniberDecrypt.zip
 4/3  hssjfbd  u5f1d693LGkEgX07  kV35Z1K3JB7z6P06 MagniberDecrypt.zip
 4/3  ldolfoxwu  i24720y16f10qJ21  fX5U9Z6A2j8ZUvkO MagniberDecrypt.zip
 4/3  zskgavp  nuu9WO56Gc0N5hn7  ASY0d6dlyrEH6385 MagniberDecrypt.zip
 4/3  gwinpyizt  dcQOje3dzW469125  T5438Nl5VI62XxM8 MagniberDecrypt.zip

Security experts seem to release new versions in short intervals. Thus, this information might be outdated really soon. To check for the latest releases, check AhnLab's website.

Magniber virus decryption

Cerber and Magniber analogies

Though it uses the same payment site, its source code seems to be much less elaborate than Cerber‘s. Therefore, it gives hope that the virus can be decrypted[6]. After infiltrating the system, the malware encodes data and appends either .ihsdj or .kgpvwnr extension. Furthermore, it will open the ransom file called as READ_ME_FOR_DECRYPT_[id].txt file.

It contains the typical text explaining that all documents, photos, and databases have been encrypted. The very manner of the written text slightly differs, though, in contrast to the original Cerber’s note.

Furthermore, Magniber virus manifests a peculiar feature. Usually, ransomware threats assign the infected devices user’s ID. Furthermore, affected users have to enter the code into an indicated Tor website in order to proceed with data decryption.

On the other hand, Magniber crypto-malware directs users to a subdomain, containing the victim’s ID, of the payment site. It is divided into four sections: Homepage, Support, Decrypt 1 file for FREE and Reload content page.

The crypto-virus also evades certain directories when looking for encryptable files. As common for ransomware, it skips Program Files, Recycle Bin, local settings, and certain AppData subfolders. Furthermore, the malware has the ability to change payment bitcoin address if it identifies an URL with a different victim’s ID.

Magniber ransomware encrypts all files

Magniber ransomware came back stronger in July 2018

Security researchers from Malwarebytes Labs published[7] a detailed technical report of a new sample of Magniber virus. According to experts, the ransomware has undergone some tremendous changes during the past year and came back even more powerful.

The first significant change in the code of the virus is the capabilities of the infection. The new Magniber now targets users outside of South Korea, i.e., the virus deploys its payload whenever it detects South Korean, Chinese (Macau, China, Singapore) or Malay (Malaysia, Brunei) keyboard languages. Thus, researchers speculate that it will expand even more, and users around the world could be affected by this threat.

The new Magniber version is utilizing Magnitude exploit kit makes use of Internet Explorer zero-day vulnerability (CVE-2018-8174), which was first discovered in April this year, and patched next month. Therefore, users who are updating their browsers on time should be safe from the new Magniber virus attack. Furthermore, the virus is rather unsuccessful when it comes to other modern day browsers, such as Google Chrome or Mozilla Firefox.

Magniber ransomware no longer relies on the Command & Control server or the hardcoded key, as well as uses improved obfuscation methods. The enhanced version of the virus encrypts files by adding .dyaaghemy appendix, and as of now, this variant of Magniber is not decryptable. 

Magniber ransomware comes back stronger

Magnitude exploit kit was used to spread crypto-virus

As previously mentioned, at the moment, the malware is spread with the assistance of Magnitude exploit kit. It targets a particular CVE-2016-0189 vulnerability in Internet Explorer[8]. This flaw has been fixed already. Thus, if you are using the browser, make sure it is updated.

If the exploit kit detects the vulnerability in a user’s browser, the kit directs them to a fraudulent website which is customized according to a victim geolocation. Such sites are likely to include a link. Activating it would download the malware and begin Magniber hijack.

At the moment, the malware only targets South Korea, but soon it may extend its activities in other East Asian countries, for instance, Japanese[9] sites. Thus, make a rush to remove Magniber.

Eliminate Magniber virus and then proceed with the file recovery

Though the malware tries to persuade that it is the latest Cerber version, differences in the operation mode and source code trigger speculations whether the developers are the same. Though security experts state that the malware is Cerber in fact, less elaborate source code contradicts such statement.

In any case, the malware elimination should be your top priority. Do not waste time on meddling with the virus manually. Install a security tool, for instance, FortectIntego or SpyHunterCombo Cleaner, to remove Magniber virus. The virus might prevent you from starting security software. In that case, boot the system in Safe Mode and launch the program. Below instructions display further instructions on how to do it. Only when Magniber removal is complete, proceed to data recovery. 

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.