Security researchers got disturbed by a brand new ransomware family, called Magniber. The malicious threat is being distributed via the Magnitude exploit kit and it’s currently targeting users in South Korea.
According to Trend Micro, the Magniber ransomware checks the language of the compromised systems and only executes on computers featuring the locale identifier string 0x0412, which is the identifier for Korean language.
The Magniber family was first registered this week, when Magnitude returned to activity after nearly a month of silence. The EK was usually distributing the Cerber ransomware, however, it turned out that its creators have switched to other payloads.
During the past two months, most of the Magnitude attacks were focused on Taiwan (81%), however, this month, the security experts noticed a shift toward South Korea.
Magnitude campaigns use malvertising to infect users and deliver malicious payloads by exploiting the Internet Explorer vulnerability CVE-2016-0189, which Microsoft patched in May, last year.
The Magnitude exploit kit, which used to delivered Cerber, is now pushing a ransomware family which uses the same payment system as the Cerber ransomware. Thus, the security experts called the new malware Magniber (Magnitude+Cerber), although no code base resemblance between the two threats was found.
What is interesting about the Magniber ransomware though, is the fact that this threat uses the victim’s unique ID as a subdomain to the payment portal on Tor. After that, this subdomain is displayed in the ransom note deployed on the infected system.
Being installed on the system, Magniber starts searching for files to encrypt. According to security researchers, the malware is currently targeting over 700 file types.
The new ransomware avoids encrypting files located in folders such as Windows, Program Files, Boot, Recycle Bin, Local Settings, as well as several Documents and Settings subfolders.
Trend Micro claims that the Magniber’s code shows that the ransomware might still be under development. According to the experts, the threat could be still in experimental stages.
“Indeed, we’re bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned. While Magnitude’s distribution of Magniber is still relatively muted, their ability to exploit security gaps in the system and encrypt its files makes their combination a credible threat,” the experts state.
In addition, the researchers say that files encrypted by Magniber can be decrypted for free and advise victims to refrain from paying the ransom. However, all users are advised to keep their applications and operating systems up-to-date and to install a reliable anti-virus software.