Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DMA Locker Ransomware Support and Help Topic


  • Please log in to reply
22 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,865 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 AM

Posted 08 February 2016 - 02:16 PM

This support topic is to receive help with the DMALocker Ransomware. The DMALocker ransomware encrypts your data using AES encryption and requires a ransom of 4 Bitcoins to get your decryption key. What is more concerning is that this ransomware also has the ability to encrypt data on open network shares even if they are not mapped to a drive letter.

More information about this ransomware can be found here:

http://www.bleepingcomputer.com/news/security/dma-locker-ransomware-targets-unmapped-network-shares/
https://blog.malwarebytes.org/intelligence/2016/02/draft-dma-locker-a-new-ransomware-but-no-reason-to-panic/

dmalocker.png



BC AdBot (Login to Remove)

 


#2 craiggc

craiggc

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 10 February 2016 - 12:13 AM

Does anyone know how this is propagated ?



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 47,803 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:08 AM

Posted 10 February 2016 - 06:28 AM

Please read section :step2: in this topic which explains the most common methods Crypto malware and other forms of ransomware is typically spread and delivered.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 craiggc

craiggc

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 10 February 2016 - 07:19 PM

Yeah thanks - i am aware of the methods used in malware spreading - i was actually looking for any info on this specific malware and its attack vector of which none of the articles i have read have mentioned.



#5 shemone

shemone

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 12 February 2016 - 05:30 AM

Yeah thanks - i am aware of the methods used in malware spreading - i was actually looking for any info on this specific malware and its attack vector of which none of the articles i have read have mentioned.

 

This attack hit us via compromised domain admin account, it came in via RDP. I've seen one other report of this as well.


Edited by shemone, 12 February 2016 - 05:30 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 47,803 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:08 AM

Posted 12 February 2016 - 07:22 AM

Not the first time we have seen attackers hacking servers to spread ransomware.
UmbreCrypt Ransomware manually installed via Terminal Services
LowLevel04 Ransomware installed by targeted Remote Desktop or Terminal Services Attacks

Kaspersky reported brute force attacks against RDP servers were on the rise so we can expect to see more of this.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Fuzzalina

Fuzzalina

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 March 2016 - 06:27 PM

I have a client who just got hit with this.  They also got it because of a security leak via Net 2 Print which installs an admin user and they were able to log in.  I believe they try a number of users like that with a Bot and then come back later and log in because the Net 2 Print account logged in about 2 weeks ago, and this bleep didn't show up until yesterday.  

 

Does anyone know how to decrypt the files?  I tried the Decrypter here and it didn't work:

 

http://emsi.at/DecryptDMALocker



#8 Fuzzalina

Fuzzalina

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 March 2016 - 06:30 PM

We have a backup.  Unfortunately it's online and it's going to take 5 days to restore everything.  Un believable.  However, we're doing it.  I moved all the encrypted data over to a separate directory in case we do get a way to decrypt it.  



#9 cybercynic

cybercynic

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:08 AM

Posted 06 March 2016 - 06:56 PM

We have a backup.  Unfortunately it's online and it's going to take 5 days to restore everything.  Un believable.  However, we're doing it.  I moved all the encrypted data over to a separate directory in case we do get a way to decrypt it.  

 Maybe contact Fabian Wosar at Emsisoft : fw@emsisoft.com. He will probably request copies of a few of the encrypted files.


We are drowning in information - and starving for wisdom.


#10 Fuzzalina

Fuzzalina

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 March 2016 - 07:17 PM

How can I make sure the virus is gone, I am restoring and some of the restore is fine, and some is getting encrypted.  I swore the virus was gone and I removed everything in the registry and the program files.  

 

I ran as many virus removal tools as would run on a server.  



#11 Fuzzalina

Fuzzalina

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 March 2016 - 07:18 PM

 

We have a backup.  Unfortunately it's online and it's going to take 5 days to restore everything.  Un believable.  However, we're doing it.  I moved all the encrypted data over to a separate directory in case we do get a way to decrypt it.  

 Maybe contact Fabian Wosar at Emsisoft : fw@emsisoft.com. He will probably request copies of a few of the encrypted files.

 

Already did.  Thank you.  He says the decryption doesn't work on the newer versions.  

 

But now I just want to make sure it's off the server completely.  



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:08 AM

Posted 06 March 2016 - 07:34 PM

But now I just want to make sure it's off the server completely.


I would suggest starting a topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum. Follow the instructions posted.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#13 Dave99uk

Dave99uk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 16 April 2016 - 09:13 AM

I had a computer hit by DMALOCK3, a more advanced version of DMALOCK I guess? All the files have been prefixed by the word '!DMALOCK3.0'. I have been able to compare the pre-attack files with the attacked files and see that, apart from the '!DMALOCK3.0' prefix, the encryption seems to have been done in 16-byte chunks. Every instance of a given set of 16 bytes has resulted in identical encryption, for instance where we have a string of values of 255 across bytes 161 to 176, this results in an encrypted output of 172,218,206,128,120,163,43,26,24,43,250,73,135,202,19,71 across the equivalent 16 bytes (after allowing for the 11-byte offset created by the prefix), and is 100% consistent. Similarly where we have a string of values of 0 across bytes 1169 to  to 1184, this results in an encrypted output of 220,149,192,120,162,64,137,137,173,72,162,20,146,132,32,135 across the equivalent 16 bytes (again after allowing for the 11-byte offset created by the prefix).

I contacted a specialist company who asked me to send them a copy of a file called "cryptinfo.txt" which got left in the C:\programdata folder and contains a message including a Unique ID consisting of 8 blocks of 2-digit numbers separated by colons. As soon as they received this file, they claimed they can decrypt the entire set of data, which suggests that the information provided is sufficient for them to find the key and decrypt the data, but at a huge cost, way more than the value I put on the data! By my logic, if this is the case then surely anyone with sufficient knowledge could, with the information I have, do likewise?

Happy to send across samples of some of the 'before' and 'after' files to anyone interested.

The encryption is reportedly AES in ECB mode and the key is reportedly 32 bytes long.



#14 cybercynic

cybercynic

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:08 AM

Posted 16 April 2016 - 10:14 AM

I had a computer hit by DMALOCK3, a more advanced version of DMALOCK I guess? All the files have been prefixed by the word '!DMALOCK3.0'. I have been able to compare the pre-attack files with the attacked files and see that, apart from the '!DMALOCK3.0' prefix, the encryption seems to have been done in 16-byte chunks. Every instance of a given set of 16 bytes has resulted in identical encryption, for instance where we have a string of values of 255 across bytes 161 to 176, this results in an encrypted output of 172,218,206,128,120,163,43,26,24,43,250,73,135,202,19,71 across the equivalent 16 bytes (after allowing for the 11-byte offset created by the prefix), and is 100% consistent. Similarly where we have a string of values of 0 across bytes 1169 to  to 1184, this results in an encrypted output of 220,149,192,120,162,64,137,137,173,72,162,20,146,132,32,135 across the equivalent 16 bytes (again after allowing for the 11-byte offset created by the prefix).

I contacted a specialist company who asked me to send them a copy of a file called "cryptinfo.txt" which got left in the C:\programdata folder and contains a message including a Unique ID consisting of 8 blocks of 2-digit numbers separated by colons. As soon as they received this file, they claimed they can decrypt the entire set of data, which suggests that the information provided is sufficient for them to find the key and decrypt the data, but at a huge cost, way more than the value I put on the data! By my logic, if this is the case then surely anyone with sufficient knowledge could, with the information I have, do likewise?

Happy to send across samples of some of the 'before' and 'after' files to anyone interested.

The encryption is reportedly AES in ECB mode and the key is reportedly 32 bytes long.

From Demonslay in the topic you originally opened:

 

Malicious samples and samples of before/after files can be submitted here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


We are drowning in information - and starving for wisdom.


#15 TechGuru11

TechGuru11

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 AM

Posted 23 May 2016 - 07:38 PM

Was told to post this here: Our client has two variants. They ended up paying the DMA locker and we ran the decryptor but now are noticing there was also the Ninja .777 variant around the same time. We attempted to run both decryption programs in different orders. 

 

Files we're trying to decrypt: https://www.sendspace.com/file/5sqnsx

 

DMA Locker files: https://www.sendspace.com/file/owywtl

 

Hoping we can get some assistance with this. If someone can figure this out. We will gladly pay them for their time. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users