DMA Locker's encryption may be weak but its flaws are dangerous
A newly discovered ransomware known as DMA Locker could potentially cause some major headaches, but not necessarily in the way its creators intended.
According to cyber-threat security firm Malwarebytes in a blog post published yesterday, it is actually quite easy to undo DMA Locker's encryption, but because its coding is so shoddy, the malware sometimes crashes before the victim ever receives a ransom demand. Consequently, users may find their computers inoperable without ever knowing that the ransomware is the culprit.
A Malwarebytes analyst, who goes by the alias Hasherzade, told SCMagazine.com, “For sure being locked out without any information is more dangerous [than the encryption itself], because users have no hint where to start searching for help.”
The ransom message, which has been observed in English and Polish so far, is supposed to instruct victims to pay two Bitcoin to recover their files. Those who pay are given a 32-character decryption key to enter into a text field in order to render their files usable again.
First discovered in November 2015, DMA Locker remains a small-scope operation with only one known case in the wild. Nevertheless, it reflects a growing trend, said Hasherzade. “Since ransomware is becoming more and more popular, we've noticed that the quality of the code is decreasing. This leads us to believe that even novice cyber-criminals are trying their hand at developing their own ransomware," he explained. "Considering the hype surrounding this attack method, some victims might fork over the ransom payment without the malware even having to be a real threat.”
Indeed, DMA Locker tries very hard to convince recipients into believing their files are hopelessly lost without paying the ransom. According to Malwarebytes, the ransom note—when it actually materialises — reads: “All of files [sic] are locked with asymetric [sic] algorithm using AES-256 and then RSA-2048 cipher.”
In reality, DMA Locker does not use these advanced encryption specifications, and Malwarebytes analysts have already cracked the code. According to the blog post, the encryption key is hard-coded into the malware's binary, and plainly visible to see. The malware tries in vain to hide the key by making a modified copy of itself without the key and then deleting the original. But a security analyst need only examine the malware-laced file originally opened by the victim in order to pull up the key.
“We are currently analysing the samples we have deeper, in addition to new variants of this malware,” said Hasherzade, who did note that DMA Locker is gradually improving in quality with each subsequent edition. He recommended that users infected with DMA Locker seek the help of an industry professional for further guidance.