DMA Locker: One time joke, now next big ransomware threat

Exploit kits on board as devs fix crypto flaws and harden up cash-for-data code

3 Reg comments Got Tips?

A new complex and dangerous ransomware strain has been detected.

A Malwarebytes researcher known as "Hasherezade" says the "DMA Locker" ransomware is already being slung by the popular Neutrino exploit kit.

"The recently observed changes suggest that the product is preparing to be distributed on a massive scale," Hasherezade says.

"This change is another step towards maturity of the malware, showing that now this threat will be spreading on a bigger scale."

DMA Locker encrypts local drives and unmapped network shares, with some undefined blacklisted paths possibly related to system stability.

The tool was once restricted to hacked remote desktops, but has become a major player following important upgrades.

Some features of the ransomware are now automated, while distribution is now handled by off-the-shelf exploit kits.

Payment of ransoms is through a dedicated panel and does not require human interaction.

Hasherezade spotted version one of DMA Locker in January which along with the second version released a month later could be subverted and all files decrypted.

A third version fixed the encryption flaws but reused one key across entire campaigns, such that a paying victim could share the key they receive which would allow others to decrypt for free.

The latest appears more water-tight. Keys are unique for each victim and not reused across files and, unlike older versions, requires online access to work.

Command and control keys are generated unique for each victim. ®

Biting the hand that feeds IT © 1998–2020