Introducing DMA Locker – v4.0
DMA Locker trojan-ransomware emerged in January (though there was an ineffective Polish language version discovered previous to this, last December). The first two versions had flaws which made it possible to recover encrypted files without payment. The latest version, 4.0 is now starting to show up and is much improved. On the basis of its reformatting and improvements, researchers speculate that the authors are preparing to launch an extensive new campaign with the malware.
Previously, the versions were distributed through channels like remote desktops with weak security/vulnerabilities. This present wave of DMA Locker is using web-based attacks which employ the Neutrino exploit kit (EK) and target system or software vulnerabilities. These exploit attacks mean that a far greater distribution can be achieved (Israeli security firm Check Point have monitored the Nuclear EK infecting literally hundreds of thousands of visitors to compromised sites in similar exploits). The Neutrino EK also allows hackers to gather data about victims to help with more targeted attacks.
Another improvement is the malware’s use of the control and command server to generate a unique public and private key for each victim – this repairs a previous vulnerability.
Once the malware is inside the system, it writes itself to C:\ProgramData under the name of svchosd.exe where it places two further files: select.bat and cryptinfo.txt. Then it gets to work encrypting files – though first it must connect with the hacker’s server. If no connection is available, the ransomware will sleep until it can successfully communicate.
The ransomware uses a private RSA key unique to each victim. This is stored on the server. In the past, the same key was used for campaigns so that once released, all files could be decrypted using that same key. This flaw has now been resolved. One piece of positive news is that at the moment, DMA Locker is not hosted from the Tor network so it should prove to be more straightforward to use security tools to block it.
This malware is generic in many ways and behaves in similar ways to other variants. It does differ in that instead of having a list of files to target – it has a list NOT to target, so it ends up encrypting more files than some other ransomware. It also infects any network shares – whether mapped to a drive or not.
Experts are of the common opinion that with the increased persistence of this version, the hardened encryption method and maximized distribution, there is definitely a DMA Locker campaign launching soon.