Cerber emerges as Magniber ransomware, hits South Korea hard

Location-based Magniber ransomware strikes to South Korean computer users

Magniber ransomware wreaks havoc in South Korea

Magniber virus is distributed using Magnitude exploit kit[1] and explicitly targets users from South Korea. It can also be recognized as My Decryptor ransomware since it uses this name in the payment sites individualized for each victim. Once infiltrated, it detects the language installed in the system. If it matches the 0x0412 locale ID’s string, identifying Korean region, the crypto-ransomware starts the data encryption.[2]

Afterwards, READ_ME_FOR_DECRYPT_[id].txt file is created that can be accepted as a “ransom note.” Cybercriminals inform users about the data encryption and provide a personal link leading to the ransom payment page on Tor Browser. There are also several other temporary addresses that can be accessed without using Tor browser; However, they deactivate after a specified period of time.

The attackers demand to pay 0.2 Bitcoin ransom. Today, the value of the required amount of cryptocurrency exceeds $1100 which even doubles if the victim fails to make a transaction within five days. We want to warn you not to trust criminals because there are no guarantees that you won’t be asked to pay even more money for a decryption key. Focus on the safe Magniber removal instead and try to recover your files from the backup copies stored in the Cloud.

Magniber might be the new Cerber variant

Researchers believe that the defined malware is inextricably linked to dangerous Cerber ransomware. Both virus' variants use similar payment pages and methods for file encryption. Besides, analysts noticed significant decreases of Cerber distribution before Magniber first occurred. Thus, the computer users should be aware of the possible consequences that may arise from this “new variant” of harmful Cerber virus.[3]

Users can quickly recognize Magniber by checking the file-name of the encrypted data. The malicious program typically adds .kgpvwnr or .ihsdj extension marks at the end. Also, you should be aware that the virus targets only to encrypt files with specific extensions. Thus, once the computer is infected, not all of its data will be encoded – system files will be bypassed to keep the computer running.

However, users should not think that it will do less harm. Cerber ransomware is the perfect example of possible permanent damages this new variant may cause.

Magnitude Exploit Kit pushes malware without stopping

Magnitude Exploit Kit is a specific tool pack that is used to detect system vulnerabilities and use them to inject Cerber, and now, Magniber virus into unprotected computers.

It has started its activity early in 2013 and was offered to cybercriminals globally. However, now it focuses on private hacker groups. From the second half of 2016, this exploit kit targets victims from Asian countries.

Magnitude Exploit Kit works as a 4-stage toolkit to infect victim’s computer:

1. Contact;
2. Redirect;
3. Exploit;
4. Infect;

Firstly, hackers take advantage of malicious advertisements[4] promoted on legitimate websites. In simple words, they use intrusive ads to share the link of exploit kit server.

Once the user clicks on them, the generator separate users into two groups — those who meet and do not meet specific requirements. In this case, victims are chosen by their home region and selected Korean IP addresses are further directed to the landing page.

Users who do not meet the requirements are redirected to other possibly malicious websites such as:

• Adult dating sites;
• Gambling pages;
• E-shops;
• Free coupon offers;

Later, Magnitude Exploit Kit’s landing page detects possible system vulnerabilities that can be used in performing an attack.

Finally, when the vulnerability is successfully exploited, the hacker is able to infiltrate the Magniber Ransomware into the victim’s computer.

Do not become a victim of a malvertising attack – avoid clicking on catchy online ads

Therefore, in spite of all the reasons mentioned above, we strongly recommend avoiding to click on any types of ads. Developers invest considerable amounts of money to make sure that their advertisements look genuine; thus, it is hard to determine the origins of the malicious ads.

You should never risk your computer’s safety and be aware of the possible harmful consequences. Use a reliable security software to prevent ransomware attack and create a data backup just to be sure that you have an intact copy of valuable data at all times.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions