What Is It?
The original version of Magniber would only install itself on the systems of South Korean users, deleting itself in all other cases, however this fact should not be used to assume where the attackers are located.
The new version of Magniber ransomware expands the list of Asian languages on the devices that it will install itself onto, including Chinese and Malay. Infections have been noted in Taiwan and Hong Kong and could potentially infect users in China, Macau, Singapore, Malaysia and Brunei. The code itself has been significantly improved, no longer using a hardcoded encryption key (which previously made decryption a simple process) and does not require the infected system to have an active internet connection in order to be able to encrypt the files. The malware also uses code obfuscation techniques to make analysis and reverse engineering more difficult.
Magniber’s history goes back to the Magnitude exploit kit (EK) (originally known as Popads) that has been in the wild since 2013. While it started with a wide distribution, it later became privately operated to target Asian users. In late 2017, after previously distributing Cerber ransomware, the Magnitude EK started distributing their own ransomware, dubbed Magniber.
After briefly distributing Gandcrab ransomware in April 2018, Magnitude EK has recently been delivering a new version of Magniber ransomware. Researchers from Malwarebytes have observed the main exploit currently being used by the Magnitude EK is an Internet Explorer exploit for the Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174), which was patched by Microsoft in its May 2018 security updates.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. Magniber ransomware is spread via the Magnitude exploit kit, which attempts to exploit unpatched vulnerabilities in common software, such as Internet Explorer or Adobe Flash.
When/How Did BluVector Detect It?
Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected a full 56 months prior to their release.