AhnLab’s new Magniber decryption tool renewed the existing tool in GUI format and now supports recovery for the parts that used to be unrepairable due to a variable vector found since April 8. However, it is limited to the case where encrypted/decrypted file exists as a pair with extension and key information.
The tool is designed to show key and vector information upon entering the encryption extension information. Key and vector information of extension is managed as the database file with the name of ‘magniber.db’ inside the decryption tool and it was continuously updated until it was expired in October 2019. It is not able to be recovered if key and vector information do not appear after entering the extension. In this case, ‘magniber.db’ file needs to be updated.
[How to use decryption tool]
1) Download and install ‘MagniberDecrypt.exe’ to an infected PC.
– You do not have to consider too much on the file path since it automatically explores the drive during recovery,.
Figure 1. Download & install the decryption tool
2) When the tool is executed, a folder install file is created in the same path and the program is run automatically. When program window appears, enter the extension of the encrypted file in the entry field for encryption extension and click ‘confirm’.
Case (1): Both Key and IV value appear upon entering extension
If there are both Key and IV value upon pressing ‘confirm’ button, press ‘Start’ to automatically recover file. Since encrypted file is not deleted, free up separate space for decryption.
Case (2): Only Key value appears upon entering extension (no IV value)
If there is only Key value, you need the original file and encrypted file. Original file should be acquired from the recovery process provided by the webpage that you will be connected to in case of ransomware infection. Backup the recovery file at the time of infection as connection to the service page will not be allowed after certain period of time.
Once you obtain a pair of original and infected file, enter each file path in ‘Original File’ and ‘Decrypt File’. You can select a file by clicking ‘…’ button. Press ‘Start’ to automatically recover the file and infected file will not be deleted.
Case (3): Warning screen pops up after you enter the extension, saying ‘this extension is not supported’ – magniber.db file should be updated
1) If the alarm pop-up appears after extension is entered, you must update “magniber.db” file. Key and IV value are saved in “magniber.db” file and it will be continuously updated.
2) In case the database file was updated via ASEC blog, go to the folder ‘AhnlabMagniberDecrypt’ created in the same path that ‘MagniberDecrypt.exe‘ file was executed. Then, overwrite ‘magniber.db’ file.
[Caution]
If you updated ‘magniber.db’ file, the file will be reset if you rerun the original ‘MagniberDecrypt.exe’ file. So, please run ‘MagniberDecrypt.exe’ in ‘AhnlabMagniberDecrypt’ folder in case you close and rerun the decryption tool.
Case (4): Having to enter the value manually, not magniber.db
Check “For Expert” category on the top right side of the tool and enter key and vector information manually. Then, press the ‘Start’ button to automatically recover the file. As encrypted file is not deleted, free up separate space for decryption.
*Decrypt tool download: https://www.ahnlab.com/kr/site/download/product/productVaccineList.do
(Access the URL above to download ‘MagniberDecrypt.exe’ file)
“AhnLab-exclusive antivirus and ransomware decrypt tool can be installed and run for free and non-commercial use. Any type of commercial use is strictly forbidden.
If commercial use · selling · reselling of product is found, legal actions will be taken against the perpetrator.”
[April 19] – Update!!
복구가능목록.xlsx (translated: list of recoverable.xlsx)
[April 12]
복구가능목록.xlsx (translated: list of recoverable.xlsx)
* Since extension/key/vector information that used to be provided as the table from the webpage below are overwhelming in terms of quantity, they will be separately attached in form of DB file or excel file
* CHUNK_SIZE is 128 in the source code for Magniber ransomware recovery disclosed in Github. However, the one actually distributed in Korea is 0x100000 byte. If the value is not modified, it can be recognized as a corrupted file when executed, since some recovered file contains a padding data at the end of the file.
– https://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711
※ Update on Magniber ransomware decrypt tool is no longer supported due to change in encryption method of ransomware.
Categories:Response Guide