Ahnlab Magniber Decrypt

AhnLab Recognized as 2020 South Korea Endpoint Security Vendor of the Year for Two Consecutive Years: 2020-12-17: 327: 227: AhnLab V3 Nominated as Top Product by AV-TEST on October 2020 Evaluation: 2020-12-07: 64: 226: AhnLab Warns of Phishing Website Disguised as Popular Out-of-Stock Items: 2020-11-18: 30: 225. DECRYPT ME; Search for: The Week in Ransomware – January 1st 2021. DID YOU KNOW: 1 in 13 web requests lead to malware. @BleepinComputer, @AhnLabSecuInfo, @chum1ng0, @siriurz, @Kangxiaopao, @Jirehlov, @fbgwls245, @MShahpasandi,.

  1. Ahnlab Magniber Decrypt V4
  2. Ahnlab Magniber Decrypt V4.1
Decrypt
  • Distribution Method : Automatic infection using exploit by visiting website
  • MD5 : d410ad89fe5e0350e648ac39308fd848
  • Major Detection Name :Trojan/Win32.Magniber.R215116 (AhnLab V3), Trojan.Win32.MyRansom.131072 (ViRobot)
  • Encrypted File Pattern : .ypail
  • Malicious File Creation Location :
    - C:Users%UserName%AppDataLocalREAD_FOR_DECRYPT.txt
    - C:Users%UserName%AppDataLocalypail.exe
    - C:Users%UserName%Desktop<Random>.exe
    - C:WindowsSystem32Tasksypail
    - C:WindowsSystem32Tasks<Random>
    - C:WindowsSystem32Tasks<Random>1
  • Payment Instruction File : READ_ME_FOR_DECRYPT.txt

Ahnlab Magniber Decrypt V4

  • Major Characteristics :
    - Offline Encryption
    - Only run on Korean operating system
    - Change the default values of the registry entry 'HKEY_CLASSES_ROOTmscfileshellopencommand' and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
    - Auto execute ransomware (pcalua.exe -a C:Users%UserName%AppDataLocalypail.exe -c <Random>) and payment instrucition file (%LocalAppData%READ_FOR_DECRYPT.txt) every 15 minutes by adding Task Scheduler entries
    - Auto connect MY DECRYPTOR site (cmd.exe /c start iexplore http://<URL>) every a hour by adding Task Scheduler entries
  • Distribution Method : Automatic infection using exploit by visiting website
  • MD5 : bdb30eefb423d7710d45501b2849bfad
  • Major Detection Name :Trojan/Win32.Magniber.R216865 (AhnLab V3), Trojan.Win32.MyRansom.114880856 (ViRobot)

Ahnlab Magniber Decrypt V4.1

  • Encrypted File Pattern : .ygshc
  • Malicious File Creation Location :
    - C:Users%UserName%AppDataLocalREAD_FOR_DECRYPT.txt
    - C:Users%UserName%AppDataLocalygshc.exe
    - C:Users%UserName%Desktop<Random>.exe
    - C:WindowsSystem32Tasksygshc
    - C:WindowsSystem32Tasks<Random>
    - C:WindowsSystem32Tasks<Random>1
  • Payment Instruction File : READ_ME_FOR_DECRYPT.txt
  • Major Characteristics :
    - Offline Encryption
    - Only run on Korean operating system
    - Change the default values of the registry entry 'HKEY_CLASSES_ROOTmscfileshellopencommand' and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
    - Auto execute ransomware (pcalua.exe -a C:Users%UserName%AppDataLocalygshc.exe -c <Random>) and payment instrucition file (pcalua.exe -a notepad.exe -c %LocalAppData%READ_FOR_DECRYPT.txt) every 15 minutes by adding Task Scheduler entries
    - Auto connect MY DECRYPTOR site (pcalua.exe -a http://<URL>) every a hour by adding Task Scheduler entries