NetFort Advertising

How to Detect Magniber Ransomware on Your Network

22 October 2017 NetFort Blog By: Darragh Delaney
Magniber Ransomware Splash Screen

What is Magniber Ransomware?

Magniber Ransomware was first discovered by security researcher Michael Gillespie. It is a crypto ransomware, which aims to encrypt personal data and files. At the moment it is only targeting users in South Korea and the Asia-Pacific regions. The Ransomware is primarily being distributed by the Magnitude exploit kit, a primary distribution vehicle in the past for Cerber Ransomware.

Monitoring File Activity on Your Network

You need to be monitoring file and folder activity before you can detect any variant of Ransomware on your network. One of the easiest ways to do this is to monitor the network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.

Once you have your data source in place you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes things like filenames, actions and usernames. As well as monitoring traffic associated with your file servers we also recommend that you monitor all traffic at your network perimeter. Ransomware needs to communicate with the outside world so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware activity.

How to detect the presence of Magniber Ransomware

  1. Watch for any files with .ihsdj & .kgpvwnr  extensions
  2. Ransom notes associated with Magniber will contain the text READ_ME_FOR_DECRYPT
  3. An increase in file renames is a sure sign of Ransomware.
  4. Check for the presence of any TOR clients on your network

.ihsdj and .kgpvwnr  file extensions

Magniber Ransomware targets certain file extensions. When it encounters a targeted file type, it will encrypt the file and append the extension .ihsdj or .kgpvwnr to the to the encrypted file’s name. Watch out for any files with extensions like these on network file shares. If you spot any you need to take the client that created them off the network.

The image below shows an example of what to look out for. It was generated by using the LANGuardian Windows File Shares :: Filenames by Actions report to focus on any files with the extension .ihsdj or .kgpvwnr

Ransom note filename will contain the text READ_ME_FOR_DECRYPT

While encrypting your data, Magniber will create a ransom note named READ_ME_FOR_DECRYPT_[id].txt in each folder that a file is encrypted. The ID will be unique to you. Any clients creating these text files need to be removed from your network and blocked permanently or reinstalled.

The image below shows an example of what to look out for. It was generated by using the LANGuardian Windows File Shares :: Filenames by Actions report to focus on any files with this text string in the name.

Magniber Ransomware Ransom Note

Watch out for an increase in file renames. A sure sign of Ransomware activity

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

Watch out for TOR clients on your network

Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name “The Onion Router”. Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis.

Magniber Ransomware uses TOR based payment systems called My Decryptor that is located at the TOR url [victim_id].ofotqrmsrdc6c3rz.onion. This site will provide information on the ransom amount, the bitcoin address payments must be made, and information on how to purchase bitcoins.

As IDS system can detect the presence of TOR clients on your network. While a TOR client is not an indication of Ransomware activity, you should look at removing them from your network or find out why users need to use such a service. The image below shows an example of what to watch out for.

TOR IDS Signatures

Worried about Ransomware? Download a free trial of LANGuardian today

If you want to audit your network for signs of Ransomware activity; download a 30-day free trial of LANGuardian here. This includes a pre-configured Ransomware dashboard, so you get instant visibility of any suspicious activity.