DMA Locker

DMA Locker targets Windows OS and one known method of distribution is through Remote Desktop. Once an infection occurs and the executable is launched, DMA Locker terminates any applications used for backing up data and adds registry keys to maintain persistence. It then whitelists all system and executable files and proceeds to encrypt all other files located on local drives, mapped network shares, and even unmapped network shares. Unlike other variants, DMA Locker does not add a custom extension to encrypted files but, instead, adds an identifier into the file headers. In earlier versions of DMA Locker, one AES key was used for all encrypted files but the most recent version generates a new random key for each file. DMA Locker demands a ransom of 4 Bitcoin (approximately $1700 USD at the time of this publication). The latest version, DMA Locker 4.0, is distributed via the Neutrino exploit kit and is unable to encrypt files while offline as it needs to make contact with its C2 server in order to download the public RSA key for encryption. If the target computer is not connected to the Internet at the time of infection, this ransomware will install itself and wait until the system establishes an Internet connection before encrypting data. Every file is then encrypted with a different key.

UPDATE (10/26/16): A new version of DMA Locker appends .XPTLOCK5.0 to encrypted files.

  • Bleeping Computer provides more information about DMA Locker here.
     
  • MalwareBytes provides additional information about DMA Locker here and here.
     
  • MalwareBytes provides additional information about DMA Locker 4.0 here.
     
  • Earlier versions of DMA Locker can be decrypted by using this tool. However, the NJCCIC is not aware of any decryption tool available for the latest version of DMA Locker.
 
One example of the DMA Locker variant. Image Source: Trend Micro

One example of the DMA Locker variant. Image Source: Trend Micro