DMA Locker 4.0, yet another ransomware

June 2, 2016

The Dell Sonicwall Threats Research team have observed yet another ransomware in the wild called DMA Locker. Ransomware remains a very lucrative business for its operators. The only way of recovering files is to pay the ransom assuming no backup is available. With this ransomware we can measure some level of success by observing the bitcoin transactions associated with the given address:

Infection Cycle:

The Trojan uses the following PDF icon:

The Trojan drops the following files to the filesystem:

  • %ALLUSERSPROFILE%cryptinfo.txt (encrypted file)
  • %ALLUSERSPROFILE%select.bat (encrypted file)
  • %ALLUSERSPROFILE%svchosd.exe [Detected as GAV: DMALocker.D (Trojan)]
  • %USERPROFILE%Start MenuProgramsStartupx.vbs (encrypted file)

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows Firewall "%ALLUSERSPROFILE%svchosd.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows Update "%ALLUSERSPROFILE%select.bat"

The Trojan can be seen running in the process list:

The Trojan exhibited 4 "action" commands which are used when communicating with the C&C server:

  • "action=0" : request for unique ID
  • "action=1" : request for RSA Public Key
  • "action=2" : status information from C&C
  • "action=3" : ransom data

The Trojan obtains a unique bot ID from a remote C&C server ("action=0"):

It then uses this bot ID to request an RSA public key from the server ("action=1"):

The bot ID and RSA Public Key are stored in the registry:

  • HKEY_CURRENT_USERSoftware dma_id "111E7723E0A34AD3815C0D8A85327F54"
  • HKEY_CURRENT_USERSoftware dma_public_key hex:2d,2d,2d,2d,2d,42,45,47,49,4e,20,50,55,42,4c,49,43....

The Trojan requests the ransom information that is to be displayed to the user ("action=3"):

The following ransom information is displayed on the screen of the infected machine:

A quick lookup of the bitcoin address using the website shows that the same bitcoin address is being used for multiple infections. The campaign has been successful and 6.0001 BTC (totaling $3,150 USD at the time of writing this alert) has been paid by victims so far:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: DMALocker.D (Trojan)