Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

DMA Locker 4.0 – Known Ransomware Preparing For A Massive Distribution

Batu69

By Batu69
in Security & Privacy News

Recommended Posts

Batu69

Batu69

Posted
Posted

dma_gui4.png

Quote

After it finishes the encryption process, a red window, similar to the one known form the previous editions pops up

 

From the beginning of this year, we are observing rapid development of DMA Locker. First, the threat was too primitive to even treat it seriously. Then it evolved to more complex but still decryptable ransomware.

 

The 3.0 edition was very similar to the previous one that we described, so we skipped posting about its details (the only change was to fix the bug making it decryptable). Now we are facing an outbreak of version 4.0, coming with various changes.

 

In the past, DMA Locker was known from being installed on hacked Remote Desktops. New release has been found distributed via exploit kit (Neutrino). This change is another step towards maturity of the malware, showing that now this threat will be spreading on a bigger scale.

DMA Locker development timeline

discovered: January 2016
version: 1.0
crypto:

  • files encrypted by AES-256 in ECB mode.
  • AES key is the same for each attacked file, stored in the binary and erased after use.

decryptable: yes, if we have the original sample
works offline: yes
prefix: ABCXYZ11
read more: here

discovered: 8 February 2016
version: 2.0
crypto:

  • files encrypted by AES-256 in ECB mode
  • AES key is randomly generated for each attacked file. After use, it is encrypted by RSA and stored in the file
  • RSA public key comes hardcoded in the binary.

decryptable: Yes. Due to the weak random generator AES key can be guessed.
works offline: yes
prefix: !DMALOCK
read more: here

discovered: 22 February 2016
version: 3.0
crypto:

  • files encrypted by AES-256 in ECB mode
  • AES key is randomly generated for each attacked file. After use, it is encrypted by RSA and stored in the file
  • RSA public key comes hardcoded in the binary.

decryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once we buy the private key, it can be reused for several victims.
works offline: yes
prefix: !DMALOCK3.0

discovered: 19 May 2016
version: 4.0
crypto:

  • files encrypted by AES-256 in ECB mode, key is randomly generated for each file.
  • each random AES key is encrypted by RSA and stored in the file
  • RSA key pair is generated per client and the public key is downloaded.

decryptable: No. Neither the RSA key can be reused.
works offline: no
prefix: !DMALOCK4.0

 

Analyzed sample

Link to comment
Share on other sites
  • Replies 2
  • Views 701
  • Created
  • Last Reply
oliverjia

oliverjia

Posted
Posted

LOL

Nothing like this can threaten my Ubuntu 16.04 LTS, plus LUKS FDE of my data files.

Link to comment
Share on other sites
steven36

steven36

Posted
Posted
2 hours ago, oliverjia said:

LOL

Nothing like this can threaten my Ubuntu 16.04 LTS, plus LUKS FDE of my data files.

It's spread trough email attachments and nested links . Nested links are really a bad problem on the internet now days . that's why i  block all these malware domain   and add any sites i find not on in the filters yet to my filters  ,  Plus i use MAM ,MAE , NOD and SAS real time.

 

alhNn5i.png

 

 

LuSWRpv.png

 

  •  
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...