- Distribution Method : Automatic infection using exploit by visiting website
At the end of March 2018, security researchers from AhnLab released multiple decryptors for different types of Magniber virus. The recovery tool functions based on an encryption bug that was left out by hackers. Below you can see the table showing which versions of Magniber. How to remove Magniber virus and restore encrypted files. This article is dedicated to ransomware called Magniber which gets onto customers' machines around the world, and encrypts their files. Here we've assembled full info on Magniber's essence, and the deletion of Magniber from your system. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third-party software will be fatal for your files! To receive the private key and decryption program follow the instructions below.
Magniber ransomware has shown rapid development during the past several years. Being introduced in Korea for the first time in mid-2017, its number skyrocketed by April 2018. Despite its exponential growth, leading cybersecurity companies, such as AhnLab, promptly released restoration tools, resulting in the downfall of Magniber.
- MD5 : bdb30eefb423d7710d45501b2849bfad
- Major Detection Name :Trojan/Win32.Magniber.R216865 (AhnLab V3), Trojan.Win32.MyRansom.114880856 (ViRobot)
Ahnlab Magniber Decrypt V4.1
- Encrypted File Pattern : .ygshc
- Malicious File Creation Location :
- C:Users%UserName%AppDataLocalREAD_FOR_DECRYPT.txt
- C:Users%UserName%AppDataLocalygshc.exe
- C:Users%UserName%Desktop<Random>.exe
- C:WindowsSystem32Tasksygshc
- C:WindowsSystem32Tasks<Random>
- C:WindowsSystem32Tasks<Random>1
Ahnlab Magniber Decrypt V4
- Payment Instruction File : READ_ME_FOR_DECRYPT.txt
- Major Characteristics :
- Offline Encryption
- Only run on Korean operating system
- Change the default values of the registry entry 'HKEY_CLASSES_ROOTmscfileshellopencommand' and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
- Auto execute ransomware (pcalua.exe -a C:Users%UserName%AppDataLocalygshc.exe -c <Random>) and payment instrucition file (pcalua.exe -a notepad.exe -c %LocalAppData%READ_FOR_DECRYPT.txt) every 15 minutes by adding Task Scheduler entries
- Auto connect MY DECRYPTOR site (pcalua.exe -a http://<URL>) every a hour by adding Task Scheduler entries