DMA Locker is an excellent example of cybercrime's furious speed of innovation. Version 1 showed up in January 2016, and V2 a month later, but the implementation of the encryption algorithm was flaky at best. The antimalware research community easily developed a decryption tool for versions 1 and 2 of DMA Locker.
These earlier versions infected workstations using through weak passwords or stolen remote desktop credentials. The new V4, however, encrypts victim machines via drive-by download attacks that rely on compromised web servers with exploit kits, expanding the criminal "addressable market" significantly.
Earlier DMA Locker versions did not use a Command & Control (C&C) server so the SA private key was stored locally on the computer and could be recovered by reverse-engineering.
The major new V4 feature is that DMA Locker's encryption routine now relies on a Command & Control server which generates unique public and private RSA keys for each infection. The New V4 first generates a unique Advanced Encryption Standard (AES) key for every file that it encrypts.
Next, that key is encrypted with a public RSA key and gets added to the beginning of the encrypted file. For the moment the C&C server is not hosted on TOR, so it's fairly easy to plug that IP on a blacklist, but wait for a month and the C&C server will be on TOR.
The above weapons-grade procedure is used by market-leading ransomware like CrytoWall. To decrypt the ransomed files, the system admin needs the corresponding private RSA key that the attackers hold until ransom is paid.
DMA Locker reverses the modus operandi of conventional ransomware architecture by how it picks the files to encrypt. Usually, ransomware has a list of file extensions that they will grab. DMA Locker has a list of extensions that it will not touch, and encrypts everything else. V4 will also encrypt files on any network share it can find, mapped and unmapped drives.
By copying the most powerful features of other successful ransomware, DMA Locker finally has become a serious contender, so batten the hatches. Here are 8 things you can do to protect your network against ransomware attacks.
Ransomware Hostage Rescue Manual
Get the most complete Ransomware Manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware.
Don't like to click on redirected buttons? Cut & Paste this link in your browser: