Solved

dma locker 3 query

Posted on 2016-08-23
7
332 Views
Last Modified: 2016-09-14
Hi, I have a client who has been done over with dma locker 3 and also had there only backup , which was on a local nas.
I had twice tried selling them cloud backup and Dr.

At the moment, there only option is to pay the ransome, I've googled how to decrypt dma locker 3 and see loads of site offering to decrypt for x amount.
Are these sites fake ?
0
Comment
Question by:total123
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:btan
ID: 41766841
If that is the last resort, you will try the last attempt to share story that pay but did not work out
The hospital paid the ransom, but the decryption key was not provided. Instead, the extortionists asked for a second, larger payment in exchange for the key. Duick says they didn’t get it, but he declines to specify how much they were asking for.

It’s not like these are trustworthy people in the first place, but now they can’t even stick by their own business model.
http://www.extremetech.com/extreme/229162-hospital-pays-ransomware-but-doesnt-get-files-decrypted

Regardless, so far based on "track record" for DMA Locker - for v3, no tools can reliably decrypt - see
decryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once we buy the private key, it can be reused for several victims.
 works offline: yes
 prefix: !DMALOCK3.0
https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/
0
 

Author Comment

by:total123
ID: 41766868
I understand, problem is, the customer has no option at the moment. either you don't pay, so you have nothing or you do pay, with the chance to get something and at the same time, you could get nothing.

the customer is screwed if they have nothing anyway. 4 bitcoins isn't going to be missed if they get screwed over. I do feel sorry for them. But then they had been warned about these sort of issues out there.
0
 
LVL 63

Expert Comment

by:btan
ID: 41766900
Since it is last resort and they understand to undertake the risk then only the cybercriminal is the one whom can answer if their tools can recover the data. I advised not to trust those sites XXX for recovery..

It is not worst off if you still going ahead to pay ransom as compared to try out as apparently, versions 1 and 2 are decryptable - versions 3 and 4 are not.
Unfortunately, the Malwarebytes article DMA Locker Strikes Back (link is external) has been updated and notes that "the latest version: 3.0 (discovered 22-th Feb) fixed the bug in the cryptography implementation. Due to this fact, encrypted files cannot be recovered by external tools", so you might be out of luck if you were actually infected with v3.0 of this malware.
You can submit an encrypted file and the ransom note to ID-Ransomware for confirmation on the version. Alternatively, the DMA identifier can be recognized by an 8 byte long prefix at the beginning of the encrypted file content. In version 1 the prefix is ABCXYZ11, in version 2 the prefix is !DMALOCK, in version 3 the prefix is !DMALOCK3.0 and in version 4 the prefix is !DMALOCK4.0.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:total123
ID: 41778035
We've managed to get 4 bitcoins across to the hacker and they have provided the goods. two pc's are now working. just getting the data from them and looking to format. the server is decrypting.

an honest hacker, who would have thought.
0
 
LVL 63

Expert Comment

by:btan
ID: 41778211
Luckily there is one true hacker that stand by his words.
Do scan the tool and machine - but best to just rebuild the machine to clean slate instead and move on.
0
 

Author Comment

by:total123
ID: 41780080
I've had a query. Anybody know if the files that were encrypted have any reference to the encryption code and could have some kind of timed system in place that could encypt them again.
we have formatted the server and pc's, so there should be no programs live on the system.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41780865
The type of Ransomware based on idransomware and Crypto sheriff will reveal indirectly what is the cipher used. From the random notes, it may normally states the crypto key used. Not possible to straight off tell for the encrypted files.
DMA Locker 3.0 is associated with several infamous ransomware including HELP_DECRYPT, CryptoLocker and RSA-2048.
The so called timed system is from the Registry setting i.e. Run keys. For example, the following registry files generated by DMA Locker 3.0:

HKEY_LOCAL_MACHINESOFTWAREsupWPM
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKLM\SOFTWARE\Classes\AppID\<random>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]
These are mainly their means of persistence.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 7 keeps blocking Antivirus 11 76
Roguekiller has no option of deleting 19 129
IIS Server infected with Ransomware - Postmortem investigation 12 258
MS Endpoint Protection 2 44
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question