Batu69 Posted May 23, 2016 Share Posted May 23, 2016 Quote After it finishes the encryption process, a red window, similar to the one known form the previous editions pops up From the beginning of this year, we are observing rapid development of DMA Locker. First, the threat was too primitive to even treat it seriously. Then it evolved to more complex but still decryptable ransomware. The 3.0 edition was very similar to the previous one that we described, so we skipped posting about its details (the only change was to fix the bug making it decryptable). Now we are facing an outbreak of version 4.0, coming with various changes. In the past, DMA Locker was known from being installed on hacked Remote Desktops. New release has been found distributed via exploit kit (Neutrino). This change is another step towards maturity of the malware, showing that now this threat will be spreading on a bigger scale. DMA Locker development timeline discovered: January 2016 version: 1.0 crypto: files encrypted by AES-256 in ECB mode. AES key is the same for each attacked file, stored in the binary and erased after use. decryptable: yes, if we have the original sample works offline: yes prefix: ABCXYZ11read more: here discovered: 8 February 2016 version: 2.0 crypto: files encrypted by AES-256 in ECB mode AES key is randomly generated for each attacked file. After use, it is encrypted by RSA and stored in the file RSA public key comes hardcoded in the binary. decryptable: Yes. Due to the weak random generator AES key can be guessed. works offline: yes prefix: !DMALOCKread more: here discovered: 22 February 2016 version: 3.0 crypto: files encrypted by AES-256 in ECB mode AES key is randomly generated for each attacked file. After use, it is encrypted by RSA and stored in the file RSA public key comes hardcoded in the binary. decryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once we buy the private key, it can be reused for several victims. works offline: yes prefix: !DMALOCK3.0 discovered: 19 May 2016 version: 4.0 crypto: files encrypted by AES-256 in ECB mode, key is randomly generated for each file. each random AES key is encrypted by RSA and stored in the file RSA key pair is generated per client and the public key is downloaded. decryptable: No. Neither the RSA key can be reused. works offline: no prefix: !DMALOCK4.0 Analyzed sample Link to comment Share on other sites More sharing options...
oliverjia Posted May 24, 2016 Share Posted May 24, 2016 LOL Nothing like this can threaten my Ubuntu 16.04 LTS, plus LUKS FDE of my data files. Link to comment Share on other sites More sharing options...
steven36 Posted May 24, 2016 Share Posted May 24, 2016 2 hours ago, oliverjia said: LOL Nothing like this can threaten my Ubuntu 16.04 LTS, plus LUKS FDE of my data files. It's spread trough email attachments and nested links . Nested links are really a bad problem on the internet now days . that's why i block all these malware domain and add any sites i find not on in the filters yet to my filters , Plus i use MAM ,MAE , NOD and SAS real time. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.