Solved

dma locker 3 query

Posted on 2016-08-23
7
462 Views
Last Modified: 2016-09-14
Hi, I have a client who has been done over with dma locker 3 and also had there only backup , which was on a local nas.
I had twice tried selling them cloud backup and Dr.

At the moment, there only option is to pay the ransome, I've googled how to decrypt dma locker 3 and see loads of site offering to decrypt for x amount.
Are these sites fake ?
0
Comment
Question by:total123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 64

Expert Comment

by:btan
ID: 41766841
If that is the last resort, you will try the last attempt to share story that pay but did not work out
The hospital paid the ransom, but the decryption key was not provided. Instead, the extortionists asked for a second, larger payment in exchange for the key. Duick says they didn’t get it, but he declines to specify how much they were asking for.

It’s not like these are trustworthy people in the first place, but now they can’t even stick by their own business model.
http://www.extremetech.com/extreme/229162-hospital-pays-ransomware-but-doesnt-get-files-decrypted

Regardless, so far based on "track record" for DMA Locker - for v3, no tools can reliably decrypt - see
decryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once we buy the private key, it can be reused for several victims.
 works offline: yes
 prefix: !DMALOCK3.0
https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/
0
 

Author Comment

by:total123
ID: 41766868
I understand, problem is, the customer has no option at the moment. either you don't pay, so you have nothing or you do pay, with the chance to get something and at the same time, you could get nothing.

the customer is screwed if they have nothing anyway. 4 bitcoins isn't going to be missed if they get screwed over. I do feel sorry for them. But then they had been warned about these sort of issues out there.
0
 
LVL 64

Expert Comment

by:btan
ID: 41766900
Since it is last resort and they understand to undertake the risk then only the cybercriminal is the one whom can answer if their tools can recover the data. I advised not to trust those sites XXX for recovery..

It is not worst off if you still going ahead to pay ransom as compared to try out as apparently, versions 1 and 2 are decryptable - versions 3 and 4 are not.
Unfortunately, the Malwarebytes article DMA Locker Strikes Back (link is external) has been updated and notes that "the latest version: 3.0 (discovered 22-th Feb) fixed the bug in the cryptography implementation. Due to this fact, encrypted files cannot be recovered by external tools", so you might be out of luck if you were actually infected with v3.0 of this malware.
You can submit an encrypted file and the ransom note to ID-Ransomware for confirmation on the version. Alternatively, the DMA identifier can be recognized by an 8 byte long prefix at the beginning of the encrypted file content. In version 1 the prefix is ABCXYZ11, in version 2 the prefix is !DMALOCK, in version 3 the prefix is !DMALOCK3.0 and in version 4 the prefix is !DMALOCK4.0.
0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 

Author Comment

by:total123
ID: 41778035
We've managed to get 4 bitcoins across to the hacker and they have provided the goods. two pc's are now working. just getting the data from them and looking to format. the server is decrypting.

an honest hacker, who would have thought.
0
 
LVL 64

Expert Comment

by:btan
ID: 41778211
Luckily there is one true hacker that stand by his words.
Do scan the tool and machine - but best to just rebuild the machine to clean slate instead and move on.
0
 

Author Comment

by:total123
ID: 41780080
I've had a query. Anybody know if the files that were encrypted have any reference to the encryption code and could have some kind of timed system in place that could encypt them again.
we have formatted the server and pc's, so there should be no programs live on the system.
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41780865
The type of Ransomware based on idransomware and Crypto sheriff will reveal indirectly what is the cipher used. From the random notes, it may normally states the crypto key used. Not possible to straight off tell for the encrypted files.
DMA Locker 3.0 is associated with several infamous ransomware including HELP_DECRYPT, CryptoLocker and RSA-2048.
The so called timed system is from the Registry setting i.e. Run keys. For example, the following registry files generated by DMA Locker 3.0:

HKEY_LOCAL_MACHINESOFTWAREsupWPM
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKLM\SOFTWARE\Classes\AppID\<random>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]
These are mainly their means of persistence.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question