Magniber has officially gone global. After painstakingly targeting only South Korean users, the ransomware expands its target landscape to Chinese locations (Macau, China, Singapore) and Malay ones (Malaysia, Brunei) with more sophistication in its coding. It may be a matter of time till it goes global.
This ransomware wasn’t impressive before. It relied heavily with Command and Control server or a hardcoded key for its encryption practice. It just evolved itself: all of a sudden we have a ransomware bound for global attention that uses various obfuscation technique and has a whitelist feature for choosing which country to infect.
The reason for its apparent improvement is still unknown, but same can be said with its parent Magnitude exploit kit, which is the source of Magniber infections throughout the year. This particular exploit kit was the one responsible for Cerber ransomware, a threat that attacked everyone in the past regardless of country location. Now it can be said that Magniber’s threat level is on par with its distant sibling Cerber.
Victims of Magniber ransomware have their files encrypted with a “.dyaaghemy” file extension at the end of every locked file.
Its modus operandi haven’t changed much though. After file encryption, it sends a README.txt ransom note to its victims. The content of the note is pretty straightforward: it asks the victim to install a Tor browser and visit a unique URL that contains instructions on how to retrieve ransomed files. Needless to say, Magniber ransomware wants your money as well – Bitcoin money.
It’s safe to say that with an up-to-date browser, there’s almost no chance Magniber can infect a user. And it spells the same with its cousins made by exploit kits like Magnitude. Besides that, Magniber uses Internet Explorer exploit (CVE-2018-8174), so using browsers other than Internet Explorer or Edge will let you evade this specific ransomware altogether. Microsoft released a patch as fix to the threat, and this should be enough for people who do not have a different browser.