After the recent news that TeslaCrypt has been decommissioned comes a new highly serious threat: DMA Locker ransomware.
Malwarebytes has recently reported that DMA Locker ransomware, which is now in its 4th incarnation – could pose a significant threat to businesses and individuals over the coming weeks. Version 4 of the ransomware has already been added to the Neutrino exploit kit and is currently being distributed. Malwarebytes expects DMA Locker ransomware attacks to become much more widespread.
Spate of DMA Locker Ransomware Attacks Expected
DMA Locker ransomware was first seen in the wild in January of this year, yet the malicious file-encrypting malware posed little threat in its early forms, containing numerous flaws that allowed security companies to develop decryption tools.
The early forms of DMA Locker ransomware were capable of encrypting files offline and did not used a command and control server. When files were encrypted, the key to unlock the encryption was stored on the device. This allowed the malware to be reverse engineered to crack the encryption.
A new version of the ransomware was released a month later, yet it used a weak random generator and it was a relatively easy task to guess the AES key. A couple of weeks later saw the release of version 3, which saw previous flaws corrected by the authors.
However, version 3 of DMA Locker ransomware contained another flaw. While it was not possible to decrypt locked files without a decryption key, the attackers used the same key for the entire campaign. If a business had multiple infections, only one key would need to be purchased. That key could then be posted online and be used by other victims.
However, this month version 4 was released. The latest version corrects the issues with version 3 and uses a separate key for each infection. The ransomware also communicates with a command and control server and cannot work offline.
Infection with early versions of the ransomware occurred via compromised remote desktop logins – or logins that were easily guessed. Consequently, the number of recorded infections remained low. However, the latest version has been added to exploit kits which take advantage of vulnerabilities in browsers making silent drive-by downloads of the ransomware possible. This makes attacks much more likely to occur.
The ransomware is potentially highly serious, encrypting a wide range of file types. Many ransomware strains only encrypt specific file types. TeslaCrypt for example was developed to attack gamers, and encrypted saved game files and files associates with Steam accounts. DMA Locker does not search for specific files, and instead encrypts everything that is not in its whitelist of file extensions. It is also capable of encrypting files on network drives, not just the computer on which it has been downloaded.
To prevent attacks, businesses should use web filtering software to block users visiting sites containing exploit kits and stop command and control server communications. Regular backups should also be performed and files stored on air-gapped drives. In case of attack, files can then be recovered without paying the ransom.
