Magnus and NoCry: Collaboration between two ransomware developers

By Sojun Ryu, The Readable
July 26, 2022 7:03PM KST

Magnus and NoCry ransomware gangs are working together through Telegram to develop ransomware. The two gangs recently emerged in the ransomware development industry, and they are targeting not only enterprises, but also individuals.

◇ Magnus Ransomware

On June 15, Magnus ransomware group uploaded a sales promotion, claiming that its ransomware can bypass antivirus software such as Malwarebytes, Avast, and Bitdefender. The group also mentioned that the ransomware can disable antivirus programs to perform encryption successfully even in cases where it is detected. The dialog shows that their English language skill is poor, which implies that the developers are not native English speakers.

Source: S2W

According to the group’s posts, Magnus ransomware was created on May 1, and began spreading on June 14. Initially, the group set its prices at $25 to generate new ransomware and $500 to purchase its builder software. Since then, they have raised the builder's price to $700. The group mentioned that they do not target hospitals or railways. In addition, they are selling tutorials about how to spread the ransomware for $30.

By analyzing the group and its ransomware, The Readable discovered that Magnus ransomware, in the early stages, was not a new ransomware but was generated by the known ransomware builder Chaos. The only thing that Magnus changed in Chaos was a ransom note.

On July 6, Magnus announced that it reconstructed the source code of its ransomware and released them in a demo version of encryptor and decryptor. In the name space of the codes, the group wrote the name “magnusRansomware,” but it was confirmed by The Readable that the internal codes are exactly the same as the open-source codes.

Source: S2W

Three days later, Magnus ransomware version 4.5, also known as “bitcoin edition,” was released on the group’s Telegram channel. The group sold it for $75 and added several features, such as faster encryption than the previous version, disabling antivirus and Task Manager, and setting icons and extensions. However, The Readable also found evidence that the former public codes were reused. The software was leaked to a Telegram channel a few days later.

Source: S2W

Furthermore, the group shared news that a website belonging to an Italian pharmacy was infected with Magnus ransomware. However, the group has not shown high-level skills, considering that they are using open-source codes and reusing them repeatedly.

◇ NoCry Project

NoCry ransomware group runs a Telegram channel called “NoCry Project.” They started their activities on July 9 by posting a Chinese article about selling proxy. Three days later, they uploaded an image which was similar to WannaCry and stated that they made NoCry ransomware. Simultaneously, they announced that they would add Chinese and Spanish versions in the near future. It is presumed that some of the members participating in this project are Chinese, given that the posting was initially written in Chinese.

Source: S2W

The group claimed that NoCry ransomware was detected by only 6 out of 26 antivirus programs. Afterwards, they announced that the group had started developing BlackHat ransomware with a few pictures of NoCry in black color. They also claimed to have packed their ransomware using Net_Pain Cryptor.

Source: S2W

Since then, NoCry has released screenshots of the NoCry builder software, which can set the web panel log address to send infection logs, bitcoin addresses, emails, prices, extensions, and due dates. It even supports several execution options.

Source: S2W

NoCry receives logs from infected machines via Discord. It is similar to an info-stealer malware, and it contains ID, key, IP, etc. All the victims who are exposed on the NoCry channel so far appear to be individual users, not enterprises. NoCry said that they will add a WiFi worm feature in the future.

Information about NoCry 1.5.0, the most recent version, was uploaded on July 21. It is on sale for $30 for a week and $455 for a lifetime.

Source: S2W

◇ Poor Performance and Collaboration

Magnus and NoCry group have been active for about a month. It appears that they started accepting donations since their ransomwares showed poor sales performance. Moreover, the contact information for Magnus ransomware 4.5 version (bitcoin edition), which was leaked to another Telegram channel, was changed to “Mr Clancy.”

Source: S2W

Mr Clancy was also mentioned in NoCry ransomware. On a button for the NoCry ransomware builder, the name Mr Clancy appears in a message box. It is assumed that the two ransomware groups, Magnus and NoCry, decided to develop ransomware together while they were communicating in regard to the leak incident of Magnus ransomware 4.5 version.

Source: S2W

◇ SkyNetLocker

On July 19, NoCry mentioned that they were working on a reborn version of SkyNet ransomware. They also said that SkyNet ransomware is old, but very useful since it has dangerous features. NoCry redesigned a ransom note window to combine with SkyNet, along with an ability to spread the ransomware to all devices connected to the same Wi-Fi. The price is $20 per week.

Source: S2W

However, SkyNet has also been found to be the same ransomware, which was previously generated by Chaos, much like the early Magnus ransomware. This time again, the group is trying to sell ransomware which was constructed by Chaos.

Eventually, NoCry is likely to leverage open-source codes to sell ransomware. Magnus ransomware has been performing the same tricks. While NoCry continues to improve its ransomware, there are still many shortcomings. It remains to be seen whether the two groups’ collaboration will continue in the future and whether NoCry will continue to update their ransomware.

hypen@thereadable.co

“Sigma,” cybersecurity researcher at S2W, contributed to this article.
The cover image of this article was designed by Areum Hwang.


Sojun Ryu is a cybersecurity researcher for The Readable. He graduated from the “Best of the Best” next-generation security expert training program (BoB) at the Korea Information Technology Research Institute (KITRI) in 2013, and holds a master’s degree in information security from Sungkyunkwan University in Korea. He worked at KrCERT/CC for seven years, analyzing malware and responding to incidents. He is also one of the authors of "Operation Bookcodes," published by KrCERT/CC in 2020. Recently, Ryu has been focusing on threat intelligence, cybercrime, and advanced persistent threats (APT) by expanding into the deep, dark web with TALON, the Cyber Threat Intelligence group at S2W.