Ahnlab Magniber Decrypt

Posted on by admin

Magniber ransomware has shown rapid development during the past several years. Being introduced in Korea for the first time in mid-2017, its number skyrocketed by April 2018. Despite its exponential growth, leading cybersecurity companies, such as AhnLab, promptly released restoration tools, resulting in the downfall of Magniber.

  1. Ahnlab Magniber Decrypt V4
  2. Ahnlab Magniber Decrypt V4.1
  • Distribution Method : Automatic infection using exploit by visiting website
  • MD5 : d410ad89fe5e0350e648ac39308fd848
  • Major Detection Name :Trojan/Win32.Magniber.R215116 (AhnLab V3), Trojan.Win32.MyRansom.131072 (ViRobot)
  1. AhnLab 보안 제품과 서비스 구성을 한. (Magniber) 랜섬웨어, 크립트엑스엑스엑스(CryptXXX) 3.x 버전, 2.x 버전, 나부커(Nabucur), 테슬라크립트(TeslaCrypt)의 일부이며, 신∙변종.
  2. DECRYPT ME; Search for: The Week in Ransomware – January 1st 2021. DID YOU KNOW: 1 in 13 web requests lead to malware. @BleepinComputer, @AhnLabSecuInfo, @chum1ng0, @siriurz, @Kangxiaopao, @Jirehlov, @fbgwls245, @MShahpasandi,.
  3. AhnLab’s new Magniber decryption tool renewed the existing tool in GUI format and now supports recovery for the parts that used to be unrepairable due to a variable vector found since April 8. However, it is limited to the case where encrypted/decrypted file exists as a pair with extension and key information.
  4. Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
  • Encrypted File Pattern : .ypail

Ahnlab Magniber Decrypt V4

  • Malicious File Creation Location :
    - C:Users%UserName%AppDataLocalREAD_FOR_DECRYPT.txt
    - C:Users%UserName%AppDataLocalypail.exe
    - C:Users%UserName%Desktop<Random>.exe
    - C:WindowsSystem32Tasksypail
    - C:WindowsSystem32Tasks<Random>
    - C:WindowsSystem32Tasks<Random>1

Ahnlab Magniber Decrypt V4.1

Ahnlab Magniber Decrypt
  • Payment Instruction File : READ_ME_FOR_DECRYPT.txt
  • Major Characteristics :
    - Offline Encryption
    - Only run on Korean operating system
    - Change the default values of the registry entry 'HKEY_CLASSES_ROOTmscfileshellopencommand' and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
    - Auto execute ransomware (pcalua.exe -a C:Users%UserName%AppDataLocalypail.exe -c <Random>) and payment instrucition file (%LocalAppData%READ_FOR_DECRYPT.txt) every 15 minutes by adding Task Scheduler entries
    - Auto connect MY DECRYPTOR site (cmd.exe /c start iexplore http://<URL>) every a hour by adding Task Scheduler entries