Ransomware: Security researchers spot emerging new strain of malware

'Magniber' ransomware could potentially be an experiment by people behind the Cerber ransomware family.
Written by Danny Palmer, Senior Writer

Magniber appears to be an experiment in ransomware targeting.

Image: iStock

A new form of ransomware is being distributed via the same method as one of the most successful families of file-locking malware, and may represent a new evolution of the menace.

Launched by malvertising attacks on compromised websites, the new ransomware is currently designed in such a way it only infects victims in South Korea.

The ransomware is being delivered via the Magnitude exploit kit, which up until this point has predominantly been used to distribute Cerber - arguably the most successful family of ransomware of the year.

Magnitude has been used as a tool for distributing ransomware - Cerber for the most part, although it has also been known to distribute Locky and Cryptowall, but as noted by researchers at Trend Micro, Magnitude's activity substantially declined during September, to a point where it was non-existent by September 23rd.

Following a two-week hiatus, the exploit kit resumed activity on October 15th, this time equipped with a new payload: what researchers have dubbed 'Magniber' - combining the names of Cerber and Magnitude. Cerber hasn't been been distributed via Magnitude since it resumed activity.

Upon execution, the first thing the Magniber does is to check the language installed on the infected system - if the language is Korean, the payload will run. While some forms of ransomware have been known to target specific regions - or instructed not to run in certain countries - it's still rare for ransomware to be coded to target a particular country.

As a result, it's likely that Magniber is still a work in progress as those behind it attempt to work out how to best exploit particular targets.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

"Based on the code we've so far seen within Magniber, the ransomware can also be taken as still in experimental stages--perhaps under the auspices of Magnitude's developers. Indeed, we're bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned," said Jospeh C Chen a fraud researcher at Trend Micro.

Upon infection, Magniber victims are presented with a message demanding a Bitcoin ransom in exchange for the 'special software' required unlocking the encrypted files. Researchers at Malwarebytes note that the template of the English language ransom note is similar to that of Cerber.

Those who pay within five days are offered a 'special price' of 0.2 Bitcoins ($1138) while those who wait longer than this are forced to pay 0.4 Bitcoins ($2275). Like other forms of ransomware, the ransom note comes with instructions designed to 'help' victims along the path to buying Bitcoins.


The Magniber ransom note

Image: Malwarebytes

While the Magniber and Cerber ransom notes are similar and they're distributed using the same exploit kit, that's where the similarities end - Malwarebytes describe how Magniber "internally it has nothing in common with the Cerber and is much simpler".

Indeed, while Cerber is one of the most cryptographically advanced forms of ransomware - no security researchers have yet been able to provide a decryption tool for it - Magniber on the other hand is much less advanced, containing little obfuscation.

It could be the same threat actors behind the two forms of ransomware, or it could indicate that the exploit kit distribuition is now in different hands or has been leased out.

"It is possible that the switch is done by the same actors who previously distributed Cerber. But as well the previous attackers could have given up distribution of the ransomware and sold the distribution toolkit to another actor who does not own Cerber," a malware intelligence analyst at Malwarebytes told ZDNet.

One thing is for certain, for now at least, Magniber has replaced Cerber as the payload of this campaign.

However, given it only recently appeared, the ransomware is likely to still be in active development, so could evolve to launch attacks which specially target other countries other than South Korea.


Editorial standards