Ransomware5
Ransomware5

A new variety of ransomware has recently appeared and is displaying some very unusual behavior, primarily by only targeting South Korean entities and actively ignoring any other potential victims.

The malware, named Magniber and which is delivered by the Magnify exploit kit, is unusual in several ways, according to researchers at Malwarebytes and Trend Micro. The ransomware/EK combo began striking South Korean targets on October 15 and doing so in a way not seen before in a ransomware. Magnitude is using methods such as language checks, external IP and geolocation to ensure that only South Koreans are impacted.

“Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware,” Malwarebytes researchers noted.

Trend Micro's fraud researcher Joseph Chen agreed noting that while Cerber, SLocker and Locky are used in pinpoint attacks these are not limited to just one country, but are carried out worldwide. Trend's researchers also found it interesting that Magnitude had disappeared briefly from the threat map starting on September 23 before starting its South Korean attacks on October 15 and prior to that had mainly been used against targets in Taiwan where it dropped more well-known types of ransomware.

Considering the high-stakes game of political brinkmanship that has taken place surrounding the Korean peninsula over the last several that has seen North Korean hackers attacking their southern neighbor, not to mention missile tests and military exercises being conducted by both sides, it might be understandable to believe North Korea is responsible. However, Jerome Segura, Malwarebytes' lead malware intelligence analyst, told SC Media  that while the study did not look at a geopolitical motivation, but thought more might be learned about the attacker's motivation in the coming weeks.

Trend Micro also does not point any fingers.

"Trend Micro does not disclose attribution of nation-state activities mainly because we feel attribution is extremely hard to accurately identify based on most of the IoCs," Jon Clay, Trend's director of global threat communications, told SC Media.

The attacks themselves are conducted through malvertising and currently Magnitude is exploiting the previously patched CVE-2016-0189, a memory corruption vulnerability in Internet Explorer. Encryption is mostly AEX in CBC mode, Malwarebytes reported.

If a non-Korean target does happen to come across Magnitude/Magniber Malwarebytes said it runs a quick ping command and then deletes itself.

Another odd aspect is the ransom note that is generated is in English and in some ways mimics what a Cerber ransomware victim might see, Malwarebytes noted.

However, Chen said there are some indications that the Magniber attacks may represent a test case, possibly being either conducted by or with the permission of Magnitude's creators, and he predicts the attack will be further developed.