DMA Locker 4.0, yet another ransomware (June 2nd, 2016)

By

The Dell Sonicwall Threats Research team have observed yet another ransomware in the wild called DMA Locker. Ransomware remains a very lucrative business for its operators. The only way of recovering files is to pay the ransom assuming no backup is available. With this ransomware we can measure some level of success by observing the bitcoin transactions associated with the given address:

Infection Cycle:

The Trojan uses the following PDF icon:

The Trojan drops the following files to the filesystem:

  • %ALLUSERSPROFILE%cryptinfo.txt (encrypted file)
  • %ALLUSERSPROFILE%select.bat (encrypted file)
  • %ALLUSERSPROFILE%svchosd.exe [Detected as GAV: DMALocker.D (Trojan)]
  • %USERPROFILE%Start MenuProgramsStartupx.vbs (encrypted file)

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows Firewall “%ALLUSERSPROFILE%svchosd.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows Update “%ALLUSERSPROFILE%select.bat”

The Trojan can be seen running in the process list:

The Trojan exhibited 4 “action” commands which are used when communicating with the C&C server:

  • “action=0” : request for unique ID
  • “action=1” : request for RSA Public Key
  • “action=2” : status information from C&C
  • “action=3” : ransom data

The Trojan obtains a unique bot ID from a remote C&C server (“action=0”):

It then uses this bot ID to request an RSA public key from the server (“action=1”):

The bot ID and RSA Public Key are stored in the registry:

  • HKEY_CURRENT_USERSoftware dma_id “111E7723E0A34AD3815C0D8A85327F54”
  • HKEY_CURRENT_USERSoftware dma_public_key hex:2d,2d,2d,2d,2d,42,45,47,49,4e,20,50,55,42,4c,49,43….

The Trojan requests the ransom information that is to be displayed to the user (“action=3”):

The following ransom information is displayed on the screen of the infected machine:

A quick lookup of the bitcoin address using the blockchain.info website shows that the same bitcoin address is being used for multiple infections. The campaign has been successful and 6.0001 BTC (totaling $3,150 USD at the time of writing this alert) has been paid by victims so far:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: DMALocker.D (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.