DMA Locker is a ransomware that appeared at the beginning of 2016.
When deployed, the ransomware moves itself into C:\ProgramData (or C:\Documents and Settings\All Users\Dokumenty\), renamed to fakturax.exe and drops another, modified copy: ntserver.exe. File faktura.exe is removed after execution. Depending on its version, it may also drop some other files in the same location.
Symptoms of this ransomware can be recognized by a red window popping up on the screen. The windows shows the following message:
All your personal files are LOCKED! What’s happened? *All your important files (including hard disks, networks disks, flash, USB) are encrypted. *All of files are locked with asymmetric algorithm using AES-256 and then RSA-2048 cipher. *You are not possible to unlock your files because all your backups are removed. *Only way to unlock your files is to pay us 536 GBP in Bitcoin currency (2.0 BTC). After payment we will send you decryption key automatically, which allow you to unblock files. If files unlocking procedure is already working, you can easily torn off your computer and continue files unlocking after nest startup. To continue healing your files, copy and paste the same decryption key to the “decryption key” field and press “Decrypt” button. The files recovering will be continued.
Earlier version comes with a bit different GUI.
In contrast to other ransomware that are offering a separate decrypter, DMA Locker comes with a decrypting feature built-in. It is available from the GUI with ransom note. If the user enters a key (32 characters long) in the text field and clicks the button, the program switches to the decryption mode (using supplied key).
The program is not very stable and may crash during encryption. An older version has been observed to sometimes crash after finishing encryption – but before displaying any info about what happened, which may be very confusing for the victim.
DMA Locker does not change file extensions. So, in such a case the only visible symptom will be that the attacked person cannot open some of his/her files.
Newer versions also add keys to the autorun. One is to deploy a dropped copy of the program, and the other to display a ransom note in TXT format (via notepad). However, the copy of the program (DMALOCK 41:55:16:13:51:76:67:99ntserver.exe) – is not always dropped successfully and then only the TXT note may be displayed.
DMA Locker 2.0
DMA Locker 2.0 was discovered on February 8th, 2016. It comes with several improvements and RSA key. It has the same red window except it has the locker image. The key is now necessary to decrypt files must be supplied not as a text, but as RSA key file. The author added also key validation. Similarly, it drops files in C:\ProgramData\ (or C:\Documents and Settings\All Users\). Now, the dropped copy is named svchosd.exe.
It creates registry keys to autorun the file and to autodisplay ransom note via notepad at system startup. Encrypted files again have unchanged extensions – they can be only recognized by 8 byte long prefix at the beginning of the content. In the previous edition it was “ABCXYZ11“, in current it is “!DMALOCK“.
DMA Locker 3.0
DMA Locker 3.0 was discovered on February 22nd, 2016. Once installed, this virus encrypts all files on the computer and demands ransom. DMALocker3 malware is so complicated that it generates an individual encryption key for every single file, and, unlike the previous version of it, it uses RSA encryption algorithm along with AES. What is interesting about this ransomware is that it doesn't add particular file extensions to filenames – instead, it edits the header of every encrypted file and appends !DMALOCK3.0 prefix at the beginning of the content. This ransomware scans the whole computer system and detects music files, videos, images, documents, and various other file types and encrypts them. Afterward, it creates and saves a ransom note called cryptinfo.txt.
Once it finishes encrypting data, it sends a pop-up message to the computer screen, starting with a header “All your personal files are LOCKED!” The message includes information about the encryption and instructions how to decrypt DMA Locker 3.0. This virus dictates the victim to transfer 4 Bitcoins to a particular Bitcoin address provided.
DMA Locker 4.0
DMA Locker 4.0 is the only version that cannot encrypt files offline. It needs to download the public RSA key from its C&C. That’s why, if the file has been opened on the computer without the internet connection, it will just install itself and wait. If the machine is connected – it runs silently until it finish encrypting the files.
This time DMA Locker comes with a deception layer added – packed sample have an icon pretending a PDF document. After being run, it moves itself to the same location like it’s previous editions – C:\ProgramData under the name svchosd.exe.
In addition to the main sample, we can see two additional files: select.bat and cryptinfo.txt. cryptinfo.txt is a ransom note, analogical to those that we know from the previous editions – only the content changed. Now it is much shorter and contains a link to the individual website for the victim.
Script select.bat is used to display this note just in case if the original executable has been removed. It also adds registry keys for the persistence. This time the main sample – svchosd.exe – is saved under the name Windows Firewall and the script select.bat – under Windows Update.
After it finishes the encryption process, a red window, similar to the one known form the previous editions pops up. In addition to the incremented version number, visible in the corner, we can see some slight usability improvements. Extensions of the encrypted files are unchanged. The prefix is now “!DMALOCK4.0”.