Her security investigator Malwarebytes, Hasherezade ανακάλυψε ότι η πρόσφατη έκδοση του ransomware DMA Locker, βελτίωσε σημαντικά τις κακόβουλες διεργασίες του, και ετοιμάζεται για μια μαζική εκστρατεία διανομής.
The first version of DMA Locker appeared last January. Technically, the ransomware was a joke, as it contained hilarious flaws such as the key fromencryptions that was embedded in the ransomware code. The fact made itself the malware and Decrypter.
So the researchers had no problem since they also had Decrypter in their hands which helped to recover infected archives. The same was the case with DM Locker in version 2.0, which appeared almost a month later in early February. Nevertheless, the crooks managed to develop version 3 and 4 which are currently considered undecryptable, or in other words impossible to decipher.
3.0, released in late February, was the first that analysts could not break, as it used a better encryption system.
As for DM Locker's 4.0 version, the new application has many improvements, which now place the malware from the moderate ransomware risk class near the top.
Ransomware, which always worked offline, now uses ένα διακομιστή διοίκησης και ελέγχου (C&C). Αντί για ένα μόνο κλειδί κρυπτογράφησης που ήταν ενσωματωμένο στο ίδιο το ransomware,το νέο DMA Locker δημιουργεί μοναδικά κλειδιά κρυπτογράφησης AES για κάθε αρχείο τα οποία (κλειδιά) κρυπτογραφεί με ένα δημόσιο κλειδί RSA που λαμβάνεται από τον διακομιστή C&C.
So in order to decrypt all the locked files, the user also needs the other part of the RSA key, which is called the RSA private key. This key does not exist and will never exist on the user's computer. To obtain the key, the victim should contact the developers of DMA Locker.
Older versions of the ransomware required users to send an email to the developer to obtain the decryption keys. DMA Locker 4.0 is fully automated and comes with its own website where users can pay ransom them, just like other ransomware.
However, the website is not fully functional, and Hasherezade reports that the decryption test did not return the decrypted file. In addition, the website is hosted on a public IP, rather than the Dark Web, making it prone to takedowns and crawling.
The website is even hosted by the same IP address used by the C&C server, which is not so clever on the part of the scammer.
