Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've been hit by DMALOCK3!


  • This topic is locked This topic is locked
4 replies to this topic

#1 Dave99uk

Dave99uk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 15 April 2016 - 08:18 AM

I have a machine hit by DMALOCK3, a more advanced version of DMALOCK I guess? All the files have been prefixed by the word '!DMALOCK3.0'. I have been able to compare the pre-attack files with the attacked files and see that, apart from the '!DMALOCK3.0' prefix, the encryption seems to have been done in 16-byte chunks. Every instance of a given set of 16 bytes has resulted in identical encryption, for instance where we have a string of values of 255 across bytes 161 to 176, this results in an encrypted output of 172,218,206,128......71 across the equivalent 16 bytes (after allowing for the 11-byte offset created by the prefix), and is 100% consistent. Similarly, every time we have a given set of values across a 16-byte block, the encrypted values are consistent.

I contacted a specialist company who asked me to send them a copy of a file called "cryptinfo.txt" which got left in the C:\programdata folder and contains a message including a Unique ID consisting of 8 blocks of 2-digit numbers separated by colons. As soon as they received this file, they claimed they can decrypt the entire set of data, which suggests that the information provided is sufficient for them to find the key and decrypt the data, but at a huge cost, way more than the value I put on the data! By my logic, if this is the case then surely anyone with sufficient knowledge could, with the information I have, do likewise?

Happy to send across samples of some of the 'before' and 'after' files to anyone interested.



BC AdBot (Login to Remove)

 


#2 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 15 April 2016 - 08:26 AM

I contacted a specialist company who asked me to send them a copy of a file called "cryptinfo.txt" which...

What is the name and contact information of this "specialist company"?  How did you find out about them?



#3 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:08:28 PM

Posted 15 April 2016 - 09:48 AM

I have a machine hit by DMALOCK3, a more advanced version of DMALOCK I guess? All the files have been prefixed by the word '!DMALOCK3.0'. I have been able to compare the pre-attack files with the attacked files and see that, apart from the '!DMALOCK3.0' prefix, the encryption seems to have been done in 16-byte chunks. Every instance of a given set of 16 bytes has resulted in identical encryption, for instance where we have a string of values of 255 across bytes 161 to 176, this results in an encrypted output of 172,218,206,128......71 across the equivalent 16 bytes (after allowing for the 11-byte offset created by the prefix), and is 100% consistent. Similarly, every time we have a given set of values across a 16-byte block, the encrypted values are consistent.

I contacted a specialist company who asked me to send them a copy of a file called "cryptinfo.txt" which got left in the C:\programdata folder and contains a message including a Unique ID consisting of 8 blocks of 2-digit numbers separated by colons. As soon as they received this file, they claimed they can decrypt the entire set of data, which suggests that the information provided is sufficient for them to find the key and decrypt the data, but at a huge cost, way more than the value I put on the data! By my logic, if this is the case then surely anyone with sufficient knowledge could, with the information I have, do likewise?

Happy to send across samples of some of the 'before' and 'after' files to anyone interested.

Upload a copy of the ransom note and an encrypted file to sendspace (or the equivalent) and include a link in your next post. The analysts at BC and elsewhere can then check it out.


Edited by cybercynic, 15 April 2016 - 09:52 AM.

We are drowning in information - and starving for wisdom.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:28 PM

Posted 15 April 2016 - 06:14 PM

Interesting that they state they can decrypt the data. According to Fabian, newer versions are not decryptable currently. I believe 3 is the latest version that was analysed, unless they made any changes.

 

Hasherzade at MalwareBytes wrote a good article on it that you might compare. If you see differences in the behaviour on your files, we would need a sample of the malware itself to assess.

 

https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/

 

Malicious samples and samples of before/after files can be submitted here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 15 April 2016 - 07:29 PM


There is an ongoing discussion in this topic with more information.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users