How to create a security patch against DMA Locker and prevent the latest variant of this ransomware
This ransomware first appeared in December 2015 and had a flaw in its method that allowed its decryption. The newer emerging version detected is not decipherable at present (watch this space), though researchers have devised a patch to stop the encryption process. That said, this could be more problematic than first thought because it has been discovered by analysts to be the first trojan-ransomware with the coding to extend encryption of files to network shares in some circumstances. The early decryptable version can be identified using the software in the above link and work is being done to find latest version key, though avoiding DMA Locker infection is far easier than dealing with it afterwards.
How to prevent DMA Locker encrypting your files
The ransomware makes the following files in order to execute. If it finds identically named files already in the path it is directed on, this will stop DMA Locker if it gains entry to a system. Create the following files – their content is not important, only that they are present in the operating system.
- C:\ProgramData\decrypting.txt
- C:\ProgramData\start.txt
- C:\Documents and Settings\All Users\decrypting.txt
- C:\Documents and Settings\All Users\start.txt
This is a prior, preventative measure only, and will not reverse any decryption already completed. Whilst this patch will be effective protection against DMA Locker for a single, private machine, theoretically if a network needs to be patched then all nodes will need this precaution implemented.
How to stop DMA Locker entering a system
Like DMA Locker, the subsequently released Locky ransomware also displays this network share capability and this points to the growing awareness that hackers are striving to target and compromise commercial networks for greater financial gain. Several businesses have been recorded to have paid thousands of dollars to recover critical data (including at least one hospital). It must be remembered that this or any other malware must be permitted to enter a system by human error. All ingress is preventable. The above patch is a precaution in case of infection – users can find further security advice on this ‘site about how to avoid this ransomware and other malware. For commercial/network users, sufficient security is a more complex challenge.
As the primary infection vector is via fake e-mail attachments, then it is obvious to look at the related technology, process and practice – especially in a commercial setting where vulnerability grows exponentially with the size of a workforce. The practice of opening unfamiliar e-mails can be conveyed to staff and the potential resulting risks. If a client doesn’t get a prompt reply to an important issue, they will likely try to communicate by ‘phone. It is also possible to make a ‘safe’ contact list for a network and quarantine any unfamiliar addresses for methodical scrutiny. With a little practice, ‘mail content can be previewed by the user without opening. This is done by viewing the message source, which will also indicate an attachment, however cunningly concealed in ‘mail (DO NOT assume that Print Preview is a safe way to read suspect ‘mail – some malware can execute in this mode).
It should be anticipated that these attacks will become more prevalent and sophisticated, targeting commercial networks increasingly. For this reason, latest technology must be employed to block DMA Locker and other infections. Workers must be instructed about the safest working practices. Processes must be tightened and continually monitored; system administrators should ensure that a network runs with the very minimum file permissions to function efficiently.
