View All R&D Articles

Magniber Ransomware: What Home Computer Users Should Know

August 6, 2024

Ransomware groups frequently target organizations — not home users — for an obvious reason: Businesses, non-profits, and government agencies are much more likely to pay. In recent years, we’ve seen massive attacks against healthcare systems, casinos, and even federal government agencies; we’ve seen much less reporting on small-scale ransomware attacks.

Unfortunately, that does not mean that home computer users are safe. 

Recently, we’ve seen a significant increase in Magniber ransomware infections. Magniber is malware that specifically targets impact personal computer users; it’s a successor to Cerber (stylized as C3RB3R), which launched in 2016.

Here’s why Magniber is a problem for home computer users, along with tips for avoiding infection. To learn more about ransomware recovery services from Datarecovery.com, call 1-800-237-4200 to speak with an expert or submit a case online.

What is Magniber ransomware, and why is it a problem?

Magniber is the name of a set of ransomware variants that are believed to be the product of a Ransomware-as-a-Service (RaaS) gang based in South Korea. The malware began spreading in 2017, targeting home computer users with a variety of attack vectors. 

  • Magniber is frequently distributed through illegally downloaded software. It may launch as part of a “software crack” or key generator intended to bypass copyright protection. 
  • The ransomware encrypts files, typically using the Microsoft CryptoAPI, then appends a file extension that appears to be randomly generated. File extensions have included zskgavp., .tzdbkjry., .qwmoqyo, and oaxysw (dozens of other file extensions are associated with Magniber). 
  • The ransom message may also reference the user’s “illegal activities” to justify extortion (if you’re concerned about illegality, it’s important to remember that paying for ransomware is usually illegal). 
  • The victim is asked to download a Tor browser and pay the attacker with cryptocurrency. 

At this time, we do not have evidence that paying the ransom will result in successful file decryption. Note that paying ransom does not restore data for about 25% of ransomware victims, on average.

Is there a decryptor for Magniber ransomware?

As of August 6, 2024, there is not a free decryption tool for the current generation of Magniber ransomware.

An earlier version of Magniber was successfully cracked by AhnLab in 2018; their decryption tool can be found here (note that the site is written in Korean). But the RaaS gang behind Magniber patched their malware shortly after the AhnLab tool’s release.

What should I do if my system is infected with Magniber ransomware? 

As with other types of ransomware infections, it’s important to take immediate steps to isolate the infected system. Disconnect the PC from local networks; do not connect any backup devices.

If you do not need the encrypted data, you should sanitize your hard disk drive (HDD) or solid-state drive (SSD). For HDDs, the safest method is to perform a low-level format; for SSDs, you can simply reformat the drive. Learn about the standards for secure data sanitization.

Do not pay the ransom. Once again, paying for ransomware is often illegal — and ineffective. At this time, there is no way to decrypt data targeted by Magniber. However, we will update this article if a tool becomes available.

To discuss available options, call 1-800-237-4200 to speak with an expert or submit a case online. Datarecovery.com can help you restore data from older backups, monitor the dark web for stolen data, and take other steps to recover from a ransomware attack.