Threat Management, Incident Response, Malware, TDR

Ransomware DMA Locker’s encryption may be weak, but its flaws are dangerous

A newly discovered ransomware known as DMA Locker could potentially cause some major headaches, but not necessarily in the way its creators intended.

According to cyberthreat security firm Malwarebytes in a blog post published yesterday, it is actually quite easy to undo DMA Locker's encryption, but because its coding is so shoddy, the malware sometimes crashes before the victim ever receives a ransom demand. Consequently, users may find their computers inoperable without ever knowing that the ransomware is the culprit.

The Malwarebytes analyst who authored the report, who goes by the alias Hasherzade, told, “For sure being locked out without any information is more dangerous [than the encryption itself], because users have no hint where to start searching for help.”

The ransom message, which has been observed in English and Polish so far, is supposed to instruct victims to pay 2 Bitcoin (the equivalent of $370 U.S.) to recover their files. Those who pay are given a 32-character decryption key to enter into a text field in order to render their files usable again.

First discovered in November 2015, DMA Locker remains a small-scope operation with only one known case in the wild. Nevertheless, it reflects a growing trend, said Hasherzade. “Since ransomware is becoming more and more popular, we've noticed that the quality of the code is decreasing. This leads us to believe that even novice cybercriminals are trying their hand at developing their own ransomware," he explained. "Considering the hype surrounding this attack method, some victims might fork over the ransom payment without the malware even having to be a real threat.”

Indeed, DMA Locker tries very hard to convince recipients into believing their files are hopelessly lost without paying the ransom. According to Malwarebytes, the ransom note—when it actually materializes — reads: “All of files [sic] are locked with asymetric [sic] algorithm using AES-256 and then RSA-2048 cipher.”

In reality, DMA Locker does not use these advanced encryption specifications, and Malwarebytes analysts have already cracked the code. According to the blog post, the encryption key is hard-coded into the malware's binary, and plainly visible to see. The malware tries in vain to hide the key by making a modified copy of itself without the key and then deleting the original. But a security analyst need only examine the malware-laced file originally opened by the victim in order to pull up the key.

“We are currently analyzing the samples we have deeper, in addition to new variants of this malware,” said Hasherzade, who did note that DMA Locker is gradually improving in quality with each subsequent edition. He recommended that users infected with DMA Locker seek the help of an industry professional for further guidance.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.