New improved DMA Locker in 4.0 version, preparing for attacks

Malwarebytes security researcher Hasherezade has discovered that the recent release of DMA Locker ransomware has greatly improved its malicious processes and is gearing up for a massive distribution campaign.DMA Locker ransomware

The first version of DMA Locker appeared last January. Technically, the ransomware was funny, as it contained hilarious flaws, such as the decryption key that was embedded in the ransomware code. The fact was that malicious software itself and Decrypter.

So the researchers had no problem as they had Decrypter in their hands helping them recover infected files. The same thing happened with DM Locker in version 2.0, which appeared almost a month later, in early February. However, the scammers have managed to develop versions 3 and 4 which are currently considered undecryptable, or to put it differently, they cannot be decrypted.

3.0, released in late February, was the first that analysts could not break, as it used a better encryption system.

As for DM Locker's 4.0 version, the new application has many improvements, which now place the malware from the moderate ransomware risk class near the top.

The ransomware, which has always operated offline, now uses a C&C server. Instead of a single encryption key embedded in the ransomware itself, the new DMA Locker generates unique AES encryption keys for each file which (encrypted) is encrypted with a public RSA key received from the C&C server.

So in order to decrypt all the locked files, the user also needs the other part of the RSA key, which is called the RSA private key. This key does not exist and will never exist on the user's computer. To obtain the key, the victim should contact the developers of DMA Locker.

Earlier versions of ransomware required users to send an email to the developer to obtain the decryption keys. DMA Locker 4.0 is fully automated and comes with its own website where users can pay their ransom, just like other ransomware.

However, the website is not fully functional, and Hasherezade reports that the decryption test did not return the decrypted file. In addition, the website is hosted on a public IP, rather than the Dark Web, making it prone to takedowns and crawling.

The website is even hosted by the same IP address used by the C&C server, which is not so clever on the part of the scammer.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).