With the ransomware field thrown into disarray by the recent implosion of TeslaCrypt, the criminal developers behind DMA Locker are trying to make their malware even more potent with the roll out of version 4.0.
According to Malwarebytes researcher Hasherezade, the original versions were basically considered a joke in the industry because they were so poorly constructed and could be decrypted, but that has quickly changed with the latest iteration showing steady, if not dramatic, improvements. These include easier distribution and
“This threat is still evolving and catching up with the features known from other ransomware. So far it didn't shown any novelty in the used techniques and we can rather expect a conventional attack from this side,” Hasherezade wrote, adding that the newest changes may indicate that the ransomware developers maybe getting ready to unleash DMA Locker on a wide scale.
The two major changes include an updated distribution that now uses the Neutrino Exploit Kit. Previously, it had to be placed on a computer through a hijacked remote desktop session, but now that it is delivered via exploit kit many more people can be victimized.
The second important improvement is eliminating any human contact. Earlier versions had the victim contacting the criminal through email, but now a payment panel is included and the process is managed automatically with the private key being released from the command and control server after the payment is made. Hasherezade noted one interesting difference between DMA Locker and others is the website where the ransom panel is hosted is not on Tor, but in a normal environment.
Another change focuses on the ransom note. Once the files are encrypted the ransom note appears. It is basically the same as earlier versions, demanding a single Bitcoin, but following the trend in ransom attacks offers an option to decrypt a test file and there is now a link to a tutorial for those who have not been attacked before.