Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

DMA Locker Ransomware has been significantly improved

Malware authors behind the DMA Locker ransomware have improved the threat is a significant way, now it is ready for a massive distribution. Ransomware represents one of the most worrying cyber threats in the wild, vxers continue to improve their code making hard for victims to defend their systems. Now experts from Malwarebytes researchers are warning […]

DMA Locker Ransomware has been significantly improved

Malware authors behind the DMA Locker ransomware have improved the threat is a significant way, now it is ready for a massive distribution.

Ransomware represents one of the most worrying cyber threats in the wild, vxers continue to improve their code making hard for victims to defend their systems.

Now experts from Malwarebytes researchers are warning about a potential mass infection caused by the DMA Locker ransomware.

DMA Locker was first spotted early this year, but experts noticed it was still incomplete and unstable, in same cases the threat was crashing after completing the encryption of the victims’ files. At the time of its discovery, the researchers noticed that the threat didn’t employ automated distribution. It was mainly distributed via hacked Remote Desktops.

The first iteration of the DMA Locker ransomware was exposed to anti-malware analysis and experts discovered he called API functions via plain text. The presence of debug strings in the code also described the malware activities.

“This ransomware is distributed without any packing and no defense against analysis has been observed. ” reads a blog post published by MalwareBytes.

“Instead of a list of attacked extensions, this malware contains two blacklists. One for directories and another for file extensions”

DMA Locker blacklisted_path

Researchers at MalwareBytes have recently spotted the DMA Locker version 4.0 that has been improved in a significant way by the authors. The new variant implements a new distribution technique and improved the encryption process.

The threat actors are leveraging on the Neutrino exploit kit for distribution of the threats.

“New release has been found distributed via exploit kit (Neutrino). This change is another step towards maturity of the malware, showing that now this threat will be spreading on a bigger scale.” states the analysis published by MalwareBytes.

The DMA Locker appears with a PDF icon to trick victims into opening it, then it contacts the C&C servers to download the public RSA key and encrypts files, this means that the ransomware is able to work only con Internet connected machines.

“After being run, it moves itself to the same location like it’s previous editions – C:\ProgramData under the name svchosd.exe” continues the post. “In addition to the main sample, we can see two additional files: select.bat and cryptinfo.txt. cryptinfo.txt is a ransom note, analogical to those that we know from the previous editions – only the content changed. Now it is much shorter and contains a link to the individual website for the victim. Script select.bat is used to display this note just in case if the original executable has been removed”

DMA Locker gains persistency by adding registry keys for persistency (Windows Firewall for svchosd.exe and Windows Update for select.bat), once the victims’ files are encrypted the malware displays the following message:

DMA Locker 4

The DMA Locker 4.0 doesn’t rely on the Tor network to host the payment service, it uses an individual AES key for each encrypted file.

The experts have no doubts, the improvements discovered by the experts suggest that the product is preparing to be distributed on a massive scale.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DMA Locker, ransomware)