Clone via HTTPS Clone with Git or checkout with SVN using the repository’s web address. AhnLab’s new Magniber decryption tool renewed the existing tool in GUI format and now supports recovery for the parts that used to be unrepairable due to a variable vector found since April 8. However, it is limited to the case where encrypted/decrypted file exists as a pair with extension and key information.
- Distribution Method : Automatic infection using exploit by visiting website
- MD5 : d410ad89fe5e0350e648ac39308fd848
- Major Detection Name :Trojan/Win32.Magniber.R215116 (AhnLab V3), Trojan.Win32.MyRansom.131072 (ViRobot)
![Ahnlab Magniber Decrypt Ahnlab Magniber Decrypt](/uploads/1/1/8/5/118560939/713234680.jpg)
Ahnlab Magniber Decrypt V4
![Decrypt Decrypt](/uploads/1/1/8/5/118560939/715379555.jpg)
Ahnlab Magniber Decrypt V4.1
- Encrypted File Pattern : .ypail
- Malicious File Creation Location :
- C:Users%UserName%AppDataLocalREAD_FOR_DECRYPT.txt
- C:Users%UserName%AppDataLocalypail.exe
- C:Users%UserName%Desktop<Random>.exe
- C:WindowsSystem32Tasksypail
- C:WindowsSystem32Tasks<Random>
- C:WindowsSystem32Tasks<Random>1
- Payment Instruction File : READ_ME_FOR_DECRYPT.txt
- Major Characteristics :
- Offline Encryption
- Only run on Korean operating system
- Change the default values of the registry entry 'HKEY_CLASSES_ROOTmscfileshellopencommand' and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
- Auto execute ransomware (pcalua.exe -a C:Users%UserName%AppDataLocalypail.exe -c <Random>) and payment instrucition file (%LocalAppData%READ_FOR_DECRYPT.txt) every 15 minutes by adding Task Scheduler entries
- Auto connect MY DECRYPTOR site (cmd.exe /c start iexplore http://<URL>) every a hour by adding Task Scheduler entries