The language-specific ransomware attacks South Korea

by Alice Woods - -

Users in Asia Pacific region, particularly those in South Korea, should consider their cyber security. A security firm FireEye announced that the Magnitude Exploit Kit which is used in order to spread the Magniber ransomware attacks consumers in South Korea.

ransomware south korea 

There have been zero announcements about Magnitude EK activities since last September when it was detected attacking users in Taiwan spreading the Cerber ransomware. However, the attackers’ activities were recently discovered in South Korea with different payload – Magniber.[1]

The first resurgence in the Magnitude Exploit Kit in the recently performed cyber attacks was a malvertising redirection.

According to security experts at TrendMicro, these malvertisements filter its targets applying the geolocation of the consumers’ system languages and IP addresses. [2]

It is the main method applied by EKs and different cyber attacks to avoid detection and cover malicious activities from security software and researchers.

Unfortunately, the research indicated that the Magniber ransomware payload only attacks systems based in Korea – malware is not executing as the system language is not Korean. Thus, malware becomes one of the few language and/or country-specific ransomware.

While many ransomware families like Cerber, SLocker and Locky are increasingly pinpointing their targets, they’re still distributed globally. They typically integrate multi-language checklists and functionalities in their codes, such as when serving ransom notes and redirecting victims to their payment pages. Some borrow a publicly available source code and just customize it depending on their target. Last year, for instance, we saw KaoTear, a Korean language-specific ransomware based on Hidden Tear.

Luckily, the Magniber ransomware is still in the creation and experimental stages.

Researchers also noted: “Indeed, we’re bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned.” 

At the moment, Magnitude only uses one bug in order to receive and operate the payload. CVE-2016-0189 which was patched last year in May – a memory corruption bug in the Internet browser. This bug is also exploited by Disdain, Sundown and other malicious actors.

Creating patches for older vulnerabilities should be the first line of protection and defense.

Muhammad Umair and Zain Gardezi, security researchers at FireEye indicated in their analysis that the ransomware is the significant threat to businesses and corporations:[1]

While the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk—especially those running old software versions and not using ad blockers. Enterprises need to make sure their network nodes are fully patched.


About the author

Alice Woods
Alice Woods - Antivirus software analyst

Alice Woods is an anti-malware analyst at She is passionate about testing new pieces of software and discovering pros and cons of each program.

Contact Alice Woods
About the company Esolutions


now online
Like us on Facebook