X X X X X X X X X X X X X X X X security της Malwarebytes, Hasherezade ανακάλυψε ότι η πρόσφατη έκδοση του ransomware DMA Locker, βελτίωσε σημαντικά τις κακόβουλες διεργασίες του, και ετοιμάζεται για μια μαζική εκστρατεία διανομής.
The first version of DMA Locker appeared last January. Technically, the ransomware was a joke, as it contained hilarious flaws such as the decryption key embedded in the ransomware code. The fact made the malware itself and Decrypter.
So the researchers had no problem as they had Decrypter in their hands helping them recover infected files. The same thing happened with DM Locker in version 2.0, which appeared almost a month later, in early February. However, the scammers have managed to develop versions 3 and 4 which are currently considered undecryptable, or to put it differently, they cannot be decrypted.
3.0, released in late February, was the first that analysts could not break, as it used a better encryption system.
As for DM Locker version 4.0, the new application it has several improvements, which now move the malware from the moderate ransomware risk category to near the top.
The ransomware, which has always operated offline, now uses a C&C server. Instead of a single encryption key embedded in the ransomware itself, the new DMA Locker generates unique AES encryption keys for each file which (encrypted) is encrypted with a public RSA key received from the C&C server.
So in order to decrypt all the locked files, the user also needs the other part of the RSA key, which is called the RSA private key. This key does not exist and will never exist on the user's computer. To obtain the key, the victim should contact the developers of DMA Locker.
Earlier versions of ransomware required users to send an email to the developer to obtain the decryption keys. DMA Locker 4.0 is fully automated and comes with its own website where users can pay their ransom, just like other ransomware.
However, the website is not fully functional, and Hasherezade reports that the decryption test did not return the decrypted file. Additionally, the site is hosted on a public IP, not the Dark Web, making it prone to takedowns as well detection.
The website is even hosted by the same IP address used by the C&C server, which is not so clever on the part of the scammer.
