Severity scale:  

Magniber ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware

Magniber ransomware appends new extensions to targeted data

The image reflecting Magniber payment siteMagniber is a ransomware-type cyber threat that was noticed spreading via Magnitude exploit kit in October 2017. This exploit kit has been used by Cerber virus. However, it’s not the only similarity to the infamous ransomware.[1].

The crypto-virus exclusively targets South Korean computer users. Interestingly, the malware terminates itself (by deleting its ping.exe[2] executable file) if it detects other than the Korean language.

This fact sparks suspicion that North Korean hackers might have created the malware. Such assumption is not baseless taking into account the cyber capabilities of this country[3] However, this theory still needs evidence.

Magniber ransomware is designed to encrypt files and demand to pay the ransom. Malware has been updated several times and the latest updates were spotted on December 2017. Each of the new variant appends different file extension. Currently, malware locks files with these suffixes:

  • .fprgbk;
  • .ihsdj;
  • .kgpvwnr;
  • .vbdrj[4];
  • .skvtb;
  • .vpgvlkb;
  • .dlenggrl;
  • .dxjay;
  • .fbuvkngy;
  • .xhspythxn;
  • .demffue;
  • .mftzmxqo;
  • .qmdjtc;
  • .wmfxdqz.

After data encryption, malware offers to buy My Decryptor to restore corrupted files. At the moment, it costs 0.2 bitcoins ($1140). It will double to 0.4 after five days. Do not remit the payment as the malware is decryptable. Instead, concentrate on Magniber removal. Reimage or Malwarebytes Anti Malware will help perform the elimination faster.

Victims of Magniber can decrypt files for free

Simone “evilsocket” Margaritelli, the researcher for mobile security company Zimperium, managed to create a decryption tool that might help to restore files after the Magniber attack. However, in order to use it, victims have to know the AES key.

According to the researcher, the decryptor should work if victims were infected from a non-Korean IP address or they cannot connect to Command & Control (C&C) server. These people should know the hardcoded key and IV which should be included into the ransomware’s code.

Hopefully, Magniber decryptor helps to continue the research in order to make ransomware fully decryptable. Meanwhile, you can download the decrypter from this link.

Similarties to Cerber ransomware

Though it uses the same payment site, its source code seems to be much less elaborate than Cerber‘s. Therefore, it gives hope that the virus can be decrypted[5]. After infiltrating the system, the malware encodes data and appends either .ihsdj or .kgpvwnr extension. Furthermore, it will open the ransom file called as READ_ME_FOR_DECRYPT_[id].txt file.

It contains the typical text explaining that all documents, photos, and databases have been encrypted. The very manner of the written text slightly differs, though, in contrast to the original Cerber’s note.

Furthermore, Magniber virus manifests a peculiar feature. Usually, ransomware threats assign the infected devices user’s ID. Furthermore, affected users have to enter the code into an indicated Tor website in order to proceed with data decryption.

On the other hand, Magniber crypto-malware directs users to a subdomain, containing the victim’s ID, of the payment site. It is divided into four sections: Home page, Support, Decrypt 1 file for FREE, and Reload content page.

The crypto-virus also evades certain directories when looking for encryptable files. As common for ransomware, it skips Program Files, Recycle Bin, local settings, and certain AppData subfolders. Furthermore, the malware has ability to change payment bitcoin address if it identifies an URL with a different victim’s ID.

Malware spreads via Magnitude exploit kit 

As previously mentioned, at the moment, the malware is spread with the assistance of Magnitude exploit kit. It targets a particular CVE-2016-0189 vulnerability in Internet Explorer[6]. This flaw has been fixed already. Thus, if you are using the browser, make sure it is updated.

If the exploit kit detects the vulnerability in a user’s browser, the kit directs them to a fraudulent website which is customized according to a victim geolocation. Such sites are likely to include a link. Activating it would download the malware and begin Magniber hijack.

At the moment, the malware only targets South Korea, but soon it may extend its activities in other East Asian countries, for instance, Japanese[7] sites. Thus, make a rush to remove Magniber.

Magniber removal instructions

Though the malware tries to persuade that it is the latest Cerber version, differences in the operation mode and source code trigger speculations whether the developers are the same. Though security experts state that the malware is Cerber in fact, less elaborate source code contradicts such statement.

In any case, until the real Magniber Decrypter will be created, the malware elimination should be your top priority. Do not waste time on meddling with the virus manually. Install a security tool, for instance, Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus, to remove Magniber virus. It is not surprising if you might fail at this attempt. Boot the system in Safe Mode and launch the program. Below instructions display further instructions how to do it. Only when Magniber removal is complete, proceed to data recovery. You will find a few suggestions below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Magniber ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Magniber ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Magniber virus Removal Guide:

Remove Magniber using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Magniber

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Magniber removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Magniber using System Restore

If, by any chance, you cannot boot the device into Safe Mode, perform System Restore. It should grant you access to the security tool. Likewise, you will be able to remove Magniber virus.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Magniber. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Magniber removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Magniber from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

The official Magniber decryptor can help to restore file, if you know the AES key. Otherwise, you will not be able to take advantage of this tool. However, you can try alternative recovery methods.

If your files are encrypted by Magniber, you can use several methods to restore them:

Data Recovery Pro method

Note that backing your files is crucial especially at times of ransomware infiltration. If you did not create them, try this program. It might help you recover some files.

The usefulness of Shadow Explorer

This utility creates the copies of original files based on shadow volume copies, which are automatically generated by the operating system. There is no information whether Magniber crypto-malware deletes them in advance. However, regarding Cerber's feature to delete them, the former virus might do so in the future as well.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Magniber decryptor

The decryptor helps only to decrypt files encoded by the hardcoded version of the ransomware. It means you have to know the key and IV that are necessary in order to use the decryption software. You can download a decryptor here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Magniber and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions