Flaws Fixed and Widespread Attacks Expected due to DMA Locker Ransomware

After the recent reports that TeslaCrypt has been decommissioned comes a new highly dangerous threat: DMA Locker ransomware.

Malwarebytes has recently revealed that DMA Locker ransomware, which is now in its 4th incarnation – could represent a major threat to companies and individuals over the coming weeks. Version 4 of the ransomware has already been incorporate into the Neutrino exploit kit and is currently being spread around. Malwarebytes predict that the DMA Locker ransomware attacks will become the main attack vector witnessed.

DMA Locker ransomware was first seen impacting the public in January 2016, yet the malicious file-encrypting malware posed little danger in its early incarnations, including many flaws that allowed security companies to develop decryption tools.

The early guises of DMA Locker ransomware were capable of encrypting files offline and did not used a command and control server. When files were encrypted, the key to unlock the encryption was held on the device. This meant that the malware could be reverse engineered to crack the encryption.

A more recent version of the ransomware was released a month later, yet it used a weak random generator and it was a relatively easy task to calculate the AES key. A few weeks later saw the release of version 3, which saw previous flaws addressed by the authors.

However, version 3 of DMA Locker ransomware included another flaw. While it was not possible to decrypt locked files without a decryption key, the hackers used the same key for the whole campaign. If a business had a number of infections, only one key would need to be bought. That key could then be posted online and be deployed by other victims.

However, this month version 4 was made available. The most recent version corrects the issues with version 3 and uses a different keys for each infection. The ransomware also sends a command and control server and cannot work offline.

Infection with initial versions of the ransomware occurred through compromised remote desktop logins – or logins that were easily guessed. Due to this, the number of recorded infections stayed low. However, the most recent version has been added to exploit kits which take advantage of flaws in browsers making silent drive-by downloads of the ransomware possible. This makes attacks much more likely to happen.

The ransomware is possibly highly serious, encrypting a wide variety of file types. Many ransomware strains only encrypt specific file types. TeslaCrypt for example was created to target gamers, and encrypted saved game files and files associates with Steam accounts. DMA Locker does not search for specific files, and instead encrypts everything that is not in its whitelist of file extensions. It can also encrypting files on network drives, not just the computer on which it has been installed.

To stop attacks, companies should use web filtering software to block users visiting sites including exploit kits and stop command and control server communications. Regular backups should also be completed and files stored on air-gapped drives. If an attack takes place files can then be restored without meeting the ransom demands.

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone