Magniber Ransomware Removal Guide

Do you know what Magniber Ransomware is?

A new ransomware infection strictly targeting users from South Korea has been detected by our malware researchers. It is called Magniber Ransomware (Magnitude exploit kit + Cerber Ransomware = Magniber Ransomware). It has been given this name not without reason. It seems that it is spread via Magnitude exploit kit mainly, and it looks like a new variant of Cerber Ransomware, a nasty crypto-threat. Most likely, you will not even notice how this infection slithers onto your computer because it does that illegally, but we are sure you will soon find out about its successful entrance because a bunch of your personal files will be locked. It targets hundreds of files having .jpg, .png, .rtd, .vcd, .xlm, .vrm, .pps, .ppt, .doc, .bak, .arc, .abw, .scv, .wp5, .thp, .sla, .sci, .now, .nlm, and other extensions. It should be emphasized that not all the users find their files encrypted. You are safe if you do not live in South Korea. In such a case, the malicious file of the ransomware infection will disable itself automatically. Specifically speaking, the malicious file representing Magniber Ransomware will be deleted from your system.

Following the successful entrance, Magniber Ransomware checks IP address, language used, date format, and other tiny details to make sure that the victim is from South Korea. As mentioned above, if it turns out that the victim lives on the other side of the world, the ransomware infection disables itself right away and leaves users’ personal files intact. Unfortunately, we cannot say the same about files belonging to users living in South Korea. Magniber Ransomware locks them all right away using the AES-128 cipher. It will not take long to find out which of your files have been encrypted because they all get .ihsdj, a new extension, appended to them and, additionally, users are no longer allowed to open them. These are, of course, not the only symptoms showing that the entrance of the ransomware infection was successful. After the successful installation of Magniber Ransomware on your computer, you should also be able to find a new .txt file READ_ME_FOR_DECRYPT_[random characters]_.txt in %TEMP%. This file will also be opened automatically on your Desktop. Its first sentence tells why files can no longer be opened: “ALL YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.” Also, users are told that they need the “private key and decryption program” to decrypt the affected personal data. Even though Magniber Ransomware does not tell users about the ransom at first, they find out that they have to pay 0.2 BTC (~ 1100 USD) to the provided Bitcoin address after they download Tor Browser and open the .onion link. You can give cyber criminals one of these locked files to decrypt for free, but you should not pay the ransom to them because the chances are high that you could not decrypt those locked files even if you make a payment. Unfortunately, there is not much you can do to get your files back in such a situation. You can only go to restore them from a backup after the full ransomware removal.Magniber Ransomware Removal GuideMagniber Ransomware screenshot
Scroll down for full removal instructions

Magniber Ransomware is spread like Cerber Ransomware. According to our malware researchers, the so-called Magnitude Exploit Kit delivers this infection to users’ computers. Of course, other distribution methods might be used to promote it too, researchers say. For example, like a bunch of other ransomware infections, it might also be spread via spam emails. No matter how it has slithered onto your computer, you must delete it as soon as possible because it will not delete itself from your system anytime soon, meaning that it might lock all new files you create.

You must delete Magniber Ransomware fully so that it could not encrypt new files you create. It is not enough to restart the computer to disable it because it creates a point of execution (PoE) in %WINDIR%\System32\Tasks. Luckily, it is not one of those sophisticated malicious applications that make modifications in the system registry and/or block system utilities. Consequently, it should not be very hard to get rid of it if you follow our step-by-step manual removal guide. If you consider yourself an inexperienced user, it would be best that you delete this malicious application from your computer automatically because it is very important not to leave a single malicious component so that Magniber Ransomware could not revive.

Remove Magniber Ransomware manually

  1. Open Explorer by pressing Win+E simultaneously.
  2. Remove the malicious file, e.g., ihsdj.exe representing Magniber Ransomware (if you are not allowed to delete it, open Task Manager and kill the malicious process first).
  3. Open %WINDIR%\System32\Tasks.
  4. Delete the Task file, e.g., ihsdj.
  5. Remove READ_ME_FOR_DECRYPT_[random characters]_.txt from %TEMP%.
  6. Empty Recycle bin.

In non-techie terms:

Magniber Ransomware is a harmful malicious application that slithers onto users’ computers to lock their files. When users’ pictures, documents, text files, videos, etc. become encrypted, it then drops a ransom note with step-by-step instructions. Generally speaking, users are told to download Tor Browser and open the provided link. The message this page contains tells users that they need a private key and special program to unlock the encrypted data. Their total price is 0.2 BTC (~ 1100 USD), which is very expensive. There are no guarantees that you could unlock your files if you make a payment, so keep your money to yourself and, instead, remove the ransomware infection fully using instructions listed above ASAP.