Updated Ransomware getting Kinks Out

Tuesday, May 31, 2016 @ 05:05 PM gHale


DMA Locker ransomware is new and improved.

The first version of DMA Locker appeared this past January, but it was not a robust piece of software that took victims down. In fact, it had the decryption key hardcoded in the ransomware binary, said Malwarebytes security researcher Hasherezade.

RELATED STORIES
Ransomware Soars, Users Not Sure What It Is
APT Attacker’s Malware of Choice
Hosting Firm Used in Attacks
German Nuke Infected with Malware
Gold Mining Company Hacked

Researchers had no problem crafting a decrypter that recovered user files. The same thing happened with DM Locker 2.0, which appeared almost a month later, at the start of February. Nevertheless, researchers noted an improvement over the first version.

Version 3.0, which appeared at the end of February, was the first one that malware analysts couldn’t crack. It also featured the first signs of a better encryption system.

Development on DM Locker then took a big break until a few days ago, when Hasherezade noticed for the first time DMA Locker 4.0. This new version boosts improvements that elevate DMA Locker to a top echelon piece of ransomware.

The ransomware, which always worked offline, now uses a C&C server. Instead of a single encryption key hardcoded in the ransomware itself, DMA Locker now generates unique AES encryption keys for each file and encrypts these AES keys with a public RSA key obtained from the C&C server.

To decrypt all the locked files, the user needs the other part of the RSA key, called the private RSA key, which never touches the user’s computer. To obtain this key, users need to contact the DMA Locker authors. This is another major change from the previous ransomware versions.

Previously, the ransomware required users to send an email to the author to obtain the decryption keys. Now, DMA Locker 4.0 is working with automation and even comes with its own website where users can pay their ransom, just like other ransomware varieties.

The catch right now is the website is not fully functional. Hasherezade said the free test decryption doesn’t return the decrypted file. Additionally, the website is on a public IP, not the Dark Web, making it susceptible to takedowns.

As it turns out, the website is on the same IP as the C&C server, so taking down this server will take down the attackers entire operation at the same time.

DMA Locker made huge leaps and it is getting closer to professional threats like Locky or CryptoWall operate.