DMA Locker is a new ransomware that was discovered last week by PhysicalDrive0 and analyzed by Malwarebytes malware analyst Hasherezade. This ransomware encrypts your data using AES encryption and then demands 4 bitcoins to receive your decryption key. Earlier versions were decryptable due to a flaw in the program, but newer versions have resolved this issue. DMA Locker includes some interesting features including the encryption of unmapped network shares and the targeting of any file that does not reside in a particular folder and or does not have a particular extensions.
One feature of DMA Locker, which has not been mentioned yet, is that it also has the ability to enumerate and encrypt data on unmapped network shares. This is not a feature we see too often in current ransomware infections even though it is not a complex feature to add. It should be expected that this will become standard for ransomware in the future, so system administrators should make sure all network shares are running at the most reduced set of file permissions that work for their environment.
Unlike most ransomware, when DMA Locker encrypts your data it does not target particular extensions to encrypt, but rather uses a white list of folders and extensions that it will not encrypt. Therefore, this ransomware will encrypt almost all non-system and non-executable related files that it finds on your system.
Folders and extensions that are white listed from being encrypted are:
\Windows\,\Program Files\,\Program Files (x86)\,Games,\Temp,\Sample Pictures,\Sample Music,\cache .exe,.msi,.dll,.pif,.scr,.sys,.msp.com,.lnk,.hta,.cpl,.msc,.bat,.cmd
DMA Locker uses the AES encryption algorithm when encrypting your files, but will not add a custom extension to an encrypted file. Instead, DMA Locker will add an identifier into the header of every encrypted file so that DMA Locker can identify it as a file it encrypted. An example of an encrypted file with the highlighted identifier can be seen below.
Finally, when DMA Locker has finished encrypting your data, it will show you the lock screen where you can see instructions on how to pay the ransom and decrypt your files. This ransom information will also be saved in the C:\ProgramData\cryptinfo.txt and shown every time you login into the computer.
As DMA Locker uses a static bitcoin payment address of 1BA48s9Eeh77vwWiEgh5Vt29G3YJN1PRoR we are able to monitor how many ransom payments have been made. Unfortunately, at this time it appears that 5 victims have paid the ransom.
Other than normal antivirus protection, you can also use a trick discovered by Hasherezade that causes DMA Locker not to encrypt any files on your desktop. When DMA Locker encrypts your computer it will also create two files that indicate that the program finished the encryption process. This way when it starts again, it does not encrypt your data a second time.
To trick DMA Locker into thinking your computer is already encrypted, you can create the following two files. It does not matter what these files contain, only that they exist, in order to trick DMA Locker into not encrypting your data.
C:\ProgramData\decrypting.txt C:\ProgramData\start.txt C:\Documents and Settings\All Users\decrypting.txt C:\Documents and Settings\All Users\start.txt
If you are infected with earlier versions of DMA Locker, especially ones that contain the ID 41:55:16:13:51:76:67:99, it may be possible to decrypt them using a decrypter created by Fabian Wosar of Emsisoft. To see if your version is compatible with the decrypter, simple download download decrypt_DMA Locker.exe from the following link and save it on your desktop:
Once you have downloaded the executable, double-click on it to launch the program. When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed.
You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main DMA Locker Decrypter screen.
To test the decryption against a fiew files in a particular folder, you can click on the Clear objects button and then add the folder you wish to test with. If the tool can decrypt the folder, simply clear objects again and add the drives you wish to decrypt and then click on the Decrypt button. Once you click Decrypt, DMA Locker Decrypter will decrypt all the encrypted files and display the decryption status in a results screen like the one below.
Most of your files should now be decrypted. If you need any help using this tool, you can ask in the DMA Locker Ransomware Support Topic.
C:\ProgramData\cryptinfo.txt C:\ProgramData\date_1.txt C:\ProgramData\decrypting.txt C:\ProgramData\ntserver.exe C:\ProgramData\start.txt
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cryptedinfo notepad c:\ProgramData\cryptinfo.txt HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cssys C:\ProgramData\ntserver.exe