Magniber ransomware / virus (Removal Guide) - updated Aug 2018

Magniber virus Removal Guide

What is Magniber ransomware virus?

Magniber – a dangerous ransomware virus which returns with the stronger version to infect Korean PC users

The image reflecting Magniber payment siteMagniber is a malicious ransomware virus that can render all personal files useless. To recover them, victim is asked to pay the ransom

Magniber is dangerous crypto-virus that first showed up in October 2017. Its name originates from two words: Magnitude (ransomware was spread using Magnitude exploit kit) and Cerber. Malware uses AES-128 to lock up data and ads file extension consisting of 5 to 9 letters. It then demands a ransom of 0.2 BTC, which later doubles to 0.4 BTC. Although South Korean cybersecurity researchers managed to create a decryptor for most variants of Magniber virus, it came back stronger in July 2018 with updated obfuscation techniques. While it was targeting Korean users exclusively, its spectrum has been expanded with the ability to encrypt files of Chinese and Malaysian victims. The ransomware adds .dyaaghemy file extension and, at the time of the writing, is not decryptable.

Name Magniber ransowmare
Type Crypto-virus
Associated with Cerber virus
Exploit used Magnitude exploit kit
Demanded ransom 0.2 BTC; 0.4BTC in five days
Extensions used

.fprgbk; .ihsdj; .kgpvwnr; .vbdrj; .skvtb; .vpgvlkb; .dlenggrl; .dxjay; .fbuvkngy; .xhspythxn; .demffue; .mftzmxqo; .qmdjtc; .wmfxdqz; .ndpyhss, .dyaaghemy

Symtoms Encrypted files
Distribution CVE-2016-0189 vulnerability in Internet Explorer
Elimination Download and install FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes. Reboot PC in safe mode
Decryption Available here (newest versions)and here

Magniber cyber threat was noticed spreading via Magnitude exploit kit. This exploit kit has been used by Cerber virus. However, it’s not the only similarity to the infamous ransomware.[1].

Originally, the crypto-virus targeted South Korean computer users only. However, it is now been spotted in other Asian countries – China and Malaysia. Interestingly, the malware terminates itself (by deleting its ping.exe[2] executable file) if it detects other than the Korean, Chinese or Malaysian language.

Magniber - the deadly virusLocked files can be restored from back-ups, using original decryption key created by hackers, or using official tool by Korean security experts

The malware is using AES cipher. Before the end of March 2018, it was almost impossible to decrypt files without AES key. However, South Korean cybersecurity experts managed to crack the code for most of the Magniber ransomware versions.

This fact sparks suspicion that North Korean hackers might have created the malware. Such an assumption is not baseless taking into account the cyber capabilities of this country[3] However, this theory still needs evidence.

Magniber ransomware is designed to encrypt files and demand to pay the ransom. Malware has been updated several times and the latest updates were spotted in June 2018.[4] This version adds .ndpyhss file extension and drops a ransom note README.txt.

Each of the new variant appends different file extension. Currently, malware locks files with these suffixes:

  • .fprgbk;
  • .ihsdj;
  • .kgpvwnr;
  • .vbdrj[5];
  • .skvtb;
  • .vpgvlkb;
  • .dlenggrl;
  • .dxjay;
  • .fbuvkngy;
  • .xhspythxn;
  • .demffue;
  • .mftzmxqo;
  • .qmdjtc;
  • .wmfxdqz;
  • .ndpyhss

After data encryption, malware offers to buy My Decryptor to restore corrupted files. At the moment, it costs 0.2 bitcoins ($1140). It will double to 0.4 after five days. Do not remit the payment as the malware is decryptable. Instead, concentrate on Magniber removal. FortectIntego or Malwarebytes is a reliable security software that can help in a quick malware elimination.

The sample of Magniber trojan namesMagniber virus is said to be the latest version of Cerber.

Previous attempts to crack the malicious code

Simone “evilsocket” Margaritelli, the researcher for mobile security company Zimperium, managed to create a decryption tool that might help to restore files after the Magniber attack. However, in order to use it, victims have to know the AES key.

According to the researcher, the decryptor should work if victims were infected from a non-Korean IP address or they cannot connect to Command & Control (C&C) server. These people should know the hardcoded key and IV which should be included in the ransomware’s code.

A South Korea-based security expert team released new decryptors

At the end of March 2018, security researchers from AhnLab released multiple decryptors for different types of Magniber virus. The recovery tool functions based on an encryption bug that was left out by hackers.

Below you can see the table showing which versions of Magniber ransomware can be now decrypted:

Decrypter release date Recoverable file extension Victim Key Magniber payment site vector Download Link
3/30 kympzmzw Jg5jU6J89CUf9C55 i9w97ywz50w59RQY
3/30 owxpzylj u4p819wh1464r6J9 mbfRHUlbKJJ7024P
3/30 prueitfik EV8n879gAC6080r6 Z123yA89q3m063V9
3/31 rwighmoz BF16W5aDYzi751NB B33hQK9E6Sc7P69B
3/31 bnxzoucsx E88SzQ33TRi0P9g6 Bo3AIJyWc7iuOp91
3/31 tzdbkjry n9p2n9Io32Br75pN ir922Y7f83bb7G12
4/1 iuoqetgb QEsN9KZXSp61P956 lM174P1e6J24bZt1
4/1 pgvuuryti KHp4217jeDx019Uk A4pTQ6886b401JR5
4/2 zpnjelt LyAAS6Ovr647GO65 nS3A41k9pccn03J2
4/2 gnhnzhu I0727788KuT5kAqL sCnHApaa61l5U2R0
4/3 hssjfbd u5f1d693LGkEgX07 kV35Z1K3JB7z6P06
4/3 ldolfoxwu i24720y16f10qJ21 fX5U9Z6A2j8ZUvkO
4/3 zskgavp nuu9WO56Gc0N5hn7 ASY0d6dlyrEH6385
4/3 gwinpyizt dcQOje3dzW469125 T5438Nl5VI62XxM8

Security experts seem to release new versions in short intervals. Thus, this information might be outdated really soon. To check for the latest releases, check AhnLab's website.

Magniber virus decryptionMagniber virus was decrypted by the South Korean security team who found a way to crack the malicious virus code

Cerber and Magniber analogies

Though it uses the same payment site, its source code seems to be much less elaborate than Cerber‘s. Therefore, it gives hope that the virus can be decrypted[6]. After infiltrating the system, the malware encodes data and appends either .ihsdj or .kgpvwnr extension. Furthermore, it will open the ransom file called as READ_ME_FOR_DECRYPT_[id].txt file.

It contains the typical text explaining that all documents, photos, and databases have been encrypted. The very manner of the written text slightly differs, though, in contrast to the original Cerber’s note.

Furthermore, Magniber virus manifests a peculiar feature. Usually, ransomware threats assign the infected devices user’s ID. Furthermore, affected users have to enter the code into an indicated Tor website in order to proceed with data decryption.

On the other hand, Magniber crypto-malware directs users to a subdomain, containing the victim’s ID, of the payment site. It is divided into four sections: Homepage, Support, Decrypt 1 file for FREE and Reload content page.

The crypto-virus also evades certain directories when looking for encryptable files. As common for ransomware, it skips Program Files, Recycle Bin, local settings, and certain AppData subfolders. Furthermore, the malware has the ability to change payment bitcoin address if it identifies an URL with a different victim’s ID.

Magniber ransomware encrypts all filesMagniber ransomware is giving for its victims five days to pay the ransom. Otherwise, it will double

Magniber ransomware came back stronger in July 2018

Security researchers from Malwarebytes Labs published[7] a detailed technical report of a new sample of Magniber virus. According to experts, the ransomware has undergone some tremendous changes during the past year and came back even more powerful.

The first significant change in the code of the virus is the capabilities of the infection. The new Magniber now targets users outside of South Korea, i.e., the virus deploys its payload whenever it detects South Korean, Chinese (Macau, China, Singapore) or Malay (Malaysia, Brunei) keyboard languages. Thus, researchers speculate that it will expand even more, and users around the world could be affected by this threat.

The new Magniber version is utilizing Magnitude exploit kit makes use of Internet Explorer zero-day vulnerability (CVE-2018-8174), which was first discovered in April this year, and patched next month. Therefore, users who are updating their browsers on time should be safe from the new Magniber virus attack. Furthermore, the virus is rather unsuccessful when it comes to other modern day browsers, such as Google Chrome or Mozilla Firefox.

Magniber ransomware no longer relies on the Command & Control server or the hardcoded key, as well as uses improved obfuscation methods. The enhanced version of the virus encrypts files by adding .dyaaghemy appendix, and as of now, this variant of Magniber is not decryptable.

Magniber ransomware comes back strongerThe new Magniber ransomware came back with stronger and improved version, which is not limited to South Korean users anymore

Magnitude exploit kit was used to spread crypto-virus

As previously mentioned, at the moment, the malware is spread with the assistance of Magnitude exploit kit. It targets a particular CVE-2016-0189 vulnerability in Internet Explorer[8]. This flaw has been fixed already. Thus, if you are using the browser, make sure it is updated.

If the exploit kit detects the vulnerability in a user’s browser, the kit directs them to a fraudulent website which is customized according to a victim geolocation. Such sites are likely to include a link. Activating it would download the malware and begin Magniber hijack.

At the moment, the malware only targets South Korea, but soon it may extend its activities in other East Asian countries, for instance, Japanese[9] sites. Thus, make a rush to remove Magniber.

Eliminate Magniber virus and then proceed with the file recovery

Though the malware tries to persuade that it is the latest Cerber version, differences in the operation mode and source code trigger speculations whether the developers are the same. Though security experts state that the malware is Cerber in fact, less elaborate source code contradicts such statement.

In any case, the malware elimination should be your top priority. Do not waste time on meddling with the virus manually. Install a security tool, for instance, FortectIntego or SpyHunter 5Combo Cleaner, to remove Magniber virus. The virus might prevent you from starting security software. In that case, boot the system in Safe Mode and launch the program. Below instructions display further instructions on how to do it. Only when Magniber removal is complete, proceed to data recovery.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Magniber virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Magniber using System Restore

If, by any chance, you cannot boot the device into Safe Mode, perform System Restore. It should grant you access to the security tool. Likewise, you will be able to remove Magniber virus.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Magniber. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Magniber removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Magniber from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

The official Magniber decryptor can help to restore file if you know the AES key. Otherwise, you will not be able to take advantage of this tool. However, you can try alternative recovery methods.

If your files are encrypted by Magniber, you can use several methods to restore them:

Data Recovery Pro method

Note that backing your files is crucial especially at times of ransomware infiltration. If you did not create them, try this program. It might help you recover some files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Magniber ransomware;
  • Restore them.

The usefulness of Shadow Explorer

This utility creates the copies of original files based on shadow volume copies, which are automatically generated by the operating system. There is no information whether Magniber crypto-malware deletes them in advance. However, regarding Cerber's feature to delete them, the former virus might do so in the future as well.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Magniber decryptors

As we already mentioned, the South Korean security team managed to create several decryptors for Magniber virus. You can find the full list above, or download them from the official website.

In case decryptors created by AhnLab do not work for you, you can try the older version, but it only helps to decrypt files encoded by the hardcoded version of the ransomware. It means you have to know the key and IV that are necessary in order to use the decryption software. You can download a decryptor here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Magniber and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

Removal guides in other languages