Connect with us

Hi, what are you looking for?



New Magniber Ransomware Emerges

A brand new ransomware family currently being distributed through the Magnitude exploit kit appears to be targeting South Korean users exclusively, security researchers have discovered.

A brand new ransomware family currently being distributed through the Magnitude exploit kit appears to be targeting South Korean users exclusively, security researchers have discovered.

Dubbed Magniber, the threat checks the language of the compromised systems and only fully executes on machines featuring the locale identifier string 0x0412, which is the identifier for Korean, Trend Micro reports.

The new malware family was first observed this week, when Magnitude returned to activity after nearly a month of silence. The EK was usually distributing the Cerber ransomware, but it appears that its operators have moved to other payloads.

While most of the Magnitude attacks over the past two months and a half focused on Taiwan (81%), the security researchers noticed a shift toward South Korea on October 15. Magnitude campaigns use malvertising to infect users and deliver malicious payloads by exploiting the Internet Explorer vulnerability CVE-2016-0189, which Microsoft patched in May 2016.

Magnitude was the last exploit kit to have delivered Cerber, which appears to have disappeared from the threat landscape last month. Now, the toolkit is pushing a ransomware family that apparently uses the same payment system as Cerber.

This is why the security researchers who discovered the threat called it Magniber (Magnitude+Cerber), although there doesn’t seem to be code base resemblance between the two, Bleeping Computer’s Lawrence Abrams notes.

Specific to the new malware is the fact that it uses the victim’s unique ID as a subdomain to the payment portal on Tor. This subdomain is then displayed in the ransom note deployed on the infected system.

Advertisement. Scroll to continue reading.

Once on the infected system, the malware starts searching for files to encrypt. At the moment, it is targeting over 700 file types, Malwarebytes says. The ransomware avoids encrypting files located in folders such as Windows, Program Files, Boot, Recycle Bin, Local Settings, and several Documents and Settings subfolders, among others.

Magniber ransomware

According to Trend Micro, Magniber’s code shows that the ransomware might still be under development. According to them, the threat could be still in experimental stages, supposedly built by Magnitude’s developers.

“Indeed, we’re bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned. While Magnitude’s distribution of Magniber is still relatively muted, their ability to exploit security gaps in the system and encrypt its files makes their combination a credible threat,” the security researchers note.

According to Abrams, files encrypted by Magniber can be decrypted for free, so victims should refrain from paying the ransom. All users, however, are advised to keep their applications and operating systems updated at all times, and to install and maintain an anti-virus solution to avoid being infected in the first place. Users should also back up their data at all times, for easy recovery in the event of an infection.

Related: Ransomware – Where It’s Been and Where It’s Going

Related: Exploit for Recently Patched Flash Flaw Added to Magnitude EK

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.