Ο ερευνητής ασφαλείας της Malwarebytes, Hasherezade ανακάλυψε ότι η πρόσφατη έκδοση του ransomware DMA Locker, has significantly improved its malicious processes, and is gearing up for a massive distribution campaign.
The first version of DMA Locker appeared last January. Technically, the ransomware was funny, as it contained hilarious flaws, such as the decryption key that was embedded in the ransomware code. The fact was that malicious software itself and Decrypter.
So the researchers had no problem as they had Decrypter in their hands helping them recover infected files. The same thing happened with DM Locker in version 2.0, which appeared almost a month later, in early February. However, the scammers have managed to develop versions 3 and 4 which are currently considered undecryptable, or to put it differently, they cannot be decrypted.
3.0, released in late February, was the first that analysts could not break, as it used a better encryption system.
As for DM Locker's 4.0 version, the new application has many improvements, which now place the malware from the moderate ransomware risk class near the top.
Το ransomware, το οποίο λειτουργούσε πάντα χωρίς σύνδεση, τώρα uses ένα διακομιστή διοίκησης και ελέγχου (C&C). Αντί για ένα μόνο κλειδί κρυπτογράφησης που ήταν ενσωματωμένο στο ίδιο το ransomware,το νέο DMA Locker δημιουργεί μοναδικά wrenches κρυπτογράφησης AES για κάθε αρχείο τα οποία (κλειδιά) κρυπτογραφεί με ένα δημόσιο κλειδί RSA που λαμβάνεται από τον διακομιστή C&C.
So in order to decrypt all the locked files, the user also needs the other part of the RSA key, which is called the RSA private key. This key does not exist and will never exist on the user's computer. To obtain the key, the victim should contact the developers of DMA Locker.
Earlier versions of ransomware required users to send an email to the developer to obtain the decryption keys. DMA Locker 4.0 is fully automated and comes with its own website where users can pay their ransom, just like other ransomware.
However, the website is not fully functional, and Hasherezade reports that the decryption test did not return the decrypted file. In addition, the website is hosted on a public IP, rather than the Dark Web, making it prone to takedowns and crawling.
Η ιστοσελίδα μάλιστα φιλοξενείται από την ίδια διεύθυνση IP που χρησιμοποιεί ο server C&C, κάτι το οποίο δεν είναι και τόσο έξυπνο από την πλευρά του απατεώνα.