DMA Locker Ransomware has been significantly improved

Pierluigi Paganini May 25, 2016

Malware authors behind the DMA Locker ransomware have improved the threat is a significant way, now it is ready for a massive distribution.

Ransomware represents one of the most worrying cyber threats in the wild, vxers continue to improve their code making hard for victims to defend their systems.

Now experts from Malwarebytes researchers are warning about a potential mass infection caused by the DMA Locker ransomware.

DMA Locker was first spotted early this year, but experts noticed it was still incomplete and unstable, in same cases the threat was crashing after completing the encryption of the victims’ files. At the time of its discovery, the researchers noticed that the threat didn’t employ automated distribution. It was mainly distributed via hacked Remote Desktops.

The first iteration of the DMA Locker ransomware was exposed to anti-malware analysis and experts discovered he called API functions via plain text. The presence of debug strings in the code also described the malware activities.

“This ransomware is distributed without any packing and no defense against analysis has been observed. ” reads a blog post published by MalwareBytes.

“Instead of a list of attacked extensions, this malware contains two blacklists. One for directories and another for file extensions”

DMA Locker blacklisted_path

Researchers at MalwareBytes have recently spotted the DMA Locker version 4.0 that has been improved in a significant way by the authors. The new variant implements a new distribution technique and improved the encryption process.

The threat actors are leveraging on the Neutrino exploit kit for distribution of the threats.

“New release has been found distributed via exploit kit (Neutrino). This change is another step towards maturity of the malware, showing that now this threat will be spreading on a bigger scale.” states the analysis published by MalwareBytes.

The DMA Locker appears with a PDF icon to trick victims into opening it, then it contacts the C&C servers to download the public RSA key and encrypts files, this means that the ransomware is able to work only con Internet connected machines.

“After being run, it moves itself to the same location like it’s previous editions – C:\ProgramData under the name svchosd.exe” continues the post. “In addition to the main sample, we can see two additional files: select.bat and cryptinfo.txt. cryptinfo.txt is a ransom note, analogical to those that we know from the previous editions – only the content changed. Now it is much shorter and contains a link to the individual website for the victim. Script select.bat is used to display this note just in case if the original executable has been removed”

DMA Locker gains persistency by adding registry keys for persistency (Windows Firewall for svchosd.exe and Windows Update for select.bat), once the victims’ files are encrypted the malware displays the following message:

DMA Locker 4

The DMA Locker 4.0 doesn’t rely on the Tor network to host the payment service, it uses an individual AES key for each encrypted file.

The experts have no doubts, the improvements discovered by the experts suggest that the product is preparing to be distributed on a massive scale.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DMA Locker, ransomware)



you might also like

leave a comment