Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

One month later, Magniber ransomware is still out there

Published: 2017-11-20
Last Updated: 2017-11-20 02:16:52 UTC
by Brad Duncan (Version: 1)
0 comment(s)


Last month in October 2017, several sources reported a new ransomware family distributed by Magnitude exploit kit (EK) [1, 2, 3].  Security researchers dubbed the new ransomware "Magniber" because it appears to have replaced Cerber ransomware as distributed through Magnitude EK.  Cerber seems to have disappeared since then, but as November 2017 progresses, we're still seeing Magniber.

Magnitude EK appears to be the sole distributer of Magniber, and it still appears to be targeting Korea as noted in the original reports.  I had tried to generate infection traffic from Magniber in my home lab; however, I was never successful until I used a Korean version of Windows.

Magniber didn't run on my English version of Windows.


Nothing new, really, since the original wave of reporting on Magniber.  However, I wanted to show this activity is still happening.  The most recent Magniber sample I can confirm is SHA256 hash 7a2697e3dc0f2a678dedc8d9842a55b8efe6e11933aa32fb856f61ad5e3eecd7 first submitted to VirusTotal last week on 2017-11-14 [4].

My thanks to researchers like @hasherezade who have submitted Magniber samples to VirusTotal and left comments with the #Magniber tag.  That made recent samples much easier to find.

Shown above:  Desktop of an infected Korean Windows computer.

Shown above:  Tor page for viewing the decryption instructions.

Shown above:  Traffic from an infection filtered in Wireshark.

Final words

My standard disclaimer still applies.  System administrators and the technically inclined can implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

If I can generate some Magnitude EK traffic and acquire a newer Magniber sample, I will post the updated information.

Brad Duncan
brad [at]



0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Resume-themed malspam pushing Smoke Loader
Nov 19th 2017
1 day ago by Brad (0 comments)

BTC Pickpockets
Nov 18th 2017
2 days ago by DidierStevens (0 comments)

Top-100 Malicious IP STIX Feed
Nov 17th 2017
4 days ago by Xme (3 comments)

Suspicious Domains Tracking Dashboard
Nov 16th 2017
5 days ago by Xme (5 comments)

If you want something done right, do it yourself!
Nov 15th 2017
6 days ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Strange user-agent on DSHIELD project
created Nov 20th 2017
1 day ago by DrGreen (0 replies)

Suspicious traffic to unusual site names in the .info TLD
created Nov 16th 2017
4 days ago by jauntysankey (0 replies)

Advice for setting up an inexpensive lab
created Nov 10th 2017
1 week ago by Anonymous (1 reply)

Linux Process Hunter
created Nov 8th 2017
1 week ago by Anonymous (0 replies)

Linux Process Hunter
created Nov 8th 2017
1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
4 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
3 months ago by Johannes (12 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
3 months ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
6 months ago by Bojan (6 comments)