At the end of March 2018, security researchers from AhnLab released multiple decryptors for different types of Magniber virus. The recovery tool functions based on an encryption bug that was left out by hackers. Below you can see the table showing which versions of Magniber. Guide to remove Magniber Ransomware and decrypt.magniber files in Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP.
- Distribution Method : Automatic infection using exploit by visiting website
- MD5 : bdb30eefb423d7710d45501b2849bfad
- Major Detection Name :Trojan/Win32.Magniber.R216865 (AhnLab V3), Trojan.Win32.MyRansom.114880856 (ViRobot)
- Encrypted File Pattern : .ygshc
- Malicious File Creation Location :
- C:Users%UserName%AppDataLocalREAD_FOR_DECRYPT.txt
- C:Users%UserName%AppDataLocalygshc.exe
- C:Users%UserName%Desktop<Random>.exe
- C:WindowsSystem32Tasksygshc
- C:WindowsSystem32Tasks<Random>
- C:WindowsSystem32Tasks<Random>1
- Payment Instruction File : READ_ME_FOR_DECRYPT.txt
Ahnlab Magniber Decrypt V4.1
- Major Characteristics :
- Offline Encryption
- Only run on Korean operating system
- Change the default values of the registry entry 'HKEY_CLASSES_ROOTmscfileshellopencommand' and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
- Auto execute ransomware (pcalua.exe -a C:Users%UserName%AppDataLocalygshc.exe -c <Random>) and payment instrucition file (pcalua.exe -a notepad.exe -c %LocalAppData%READ_FOR_DECRYPT.txt) every 15 minutes by adding Task Scheduler entries
- Auto connect MY DECRYPTOR site (pcalua.exe -a http://<URL>) every a hour by adding Task Scheduler entries