Dual-Mode DMA Ransomware Got Cracked

The new DMA ransomware family, which appeared at the beginning of this year, got cracked.

Despite the fact that the creators of the ransomeware perfected their code and added English ransom notes for international users, the security specialists managed to break it successfully.

Now PC users can recognize the DMA ransomware infection by the presence of an intense red ransom note which asks them for 2 Bitcoin (around $800) to decrypt their files.

After the security researchers analyzed the DMA samples, they came to the conclusion that it was the work of a amateur. What is interesting about the ransomware is that despite advertising in their ransom note that they used an AES-256 key to encrypt files and then secured that key via an RSA-2048 cipher, DMA actually employs a custom crypto algorithm. Besides, the ransomware wasn’t protected against reverse engineering, which provided security researchers an easy access to its source code, as well as to all code comments.

Nevertheless, the main issues of DMA aren’t with any of the above-mentioned fails or the encryption algorithm, but with the way the encryption key is moved around between files.

The usual DMA infections occur when a PC user download and run a malicious file which he/she receives via spam email. Once the ransomware installs itself via these files, it creates a file called facturax.exe, which is later deleted after the ransomware encrypts all files.This file contains the encryption key, hard-coded in its binary, which users can obtain by re-downloading the malicious file they have received via the spam email.

The most peculiar thing here is that computer users can take any hex editor application and analyze the facturax.exe file and extract the encryption key that was used to lock their files, which is usually attached at the end of the file.

Another thing that PC users should pay attention here is that usually, ransomware only encrypts files, and if users want to decrypt them, they’ll have to pay the ransom they are asked for. After that, users will receive a separate application, called decrypter, which will unlock their files.

However, this is not the case with DMA ransomware. Apparently its creator thought it would be good to embed the decrypter right inside the ransom note, creating dual-mode ransomware which can encrypt and decrypt files from the same source code. This encryption key would normally be delivered to users via email after they paid the ransom, though in this case they can get the decrypter without even paying a penny.

In case the creators of the ransomware are somehow alerted on the presence of the encryption key at the end of the facturax.exe binary and they remove it, the security experts can crack the encryption algorithm, which will be revealed in the nearest future.
In any case, the creators of the DMA ransomware should either write over their code to make an efficient cyber-threat, or they should just abandon the whole DMA ransomware family instead.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.