According to Malwarebytes’ researcher Hasherezade, we’re in for a lot of pain once the new and improved DMA Locker ransomware starts doing the rounds.
Its first two versions, which appeared in January and February 2016, were easily foiled due to poor encryption key management choices.
But, with version 4.0, its developers finally got things right: files are encrypted with AES-256 in ECB mode, the key is randomly generated for each file, each key is encrypted by RSA and stored in the file, and the RSA key pair is generated on the server (a distinct one for each client).
Other changes include:
- DMA Locker 4.0 can no longer encrypt files offline – it has to contact the C&C server and download the public RSA key to do it. It communicates with the server using a simple, HTTP-based protocol.
- A website for the victims with instructions on how to make the ransom payments is now provided and, curiously enough, it’s not on the Dark Web. In fact, the C&C server and this site share the same IP address.
- Victims are given the option to decrypt a test file (but the service is still not working properly)
- The new version is packed, and is delivered via exploit kits.
All in all, by copying the most popular features of other effective ransomware, DMA Locker finally starts to look like a serious contender.
“The recently observed changes suggest that the product is preparing to be distributed on a massive scale,” notes Hasherezade. Exploit kit-based distribution will see to that.
One thing that didn’t change is that the extensions of the encrypted files are unchanged, so it might be difficult for the victims to discover which ransomware they have been hit with and look for a solution.
ID Ransomware can help with the former, but unfortunately there is currently no way to decrypt the files without paying the ransom and receiving the key.