dma locker 3 query

Hi, I have a client who has been done over with dma locker 3 and also had there only backup , which was on a local nas.
I had twice tried selling them cloud backup and Dr.

At the moment, there only option is to pay the ransome, I've googled how to decrypt dma locker 3 and see loads of site offering to decrypt for x amount.
Are these sites fake ?
total123Asked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
The type of Ransomware based on idransomware and Crypto sheriff will reveal indirectly what is the cipher used. From the random notes, it may normally states the crypto key used. Not possible to straight off tell for the encrypted files.
DMA Locker 3.0 is associated with several infamous ransomware including HELP_DECRYPT, CryptoLocker and RSA-2048.
The so called timed system is from the Registry setting i.e. Run keys. For example, the following registry files generated by DMA Locker 3.0:

HKEY_LOCAL_MACHINESOFTWAREsupWPM
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKLM\SOFTWARE\Classes\AppID\<random>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]
These are mainly their means of persistence.
0
 
btanExec ConsultantCommented:
If that is the last resort, you will try the last attempt to share story that pay but did not work out
The hospital paid the ransom, but the decryption key was not provided. Instead, the extortionists asked for a second, larger payment in exchange for the key. Duick says they didn’t get it, but he declines to specify how much they were asking for.

It’s not like these are trustworthy people in the first place, but now they can’t even stick by their own business model.
http://www.extremetech.com/extreme/229162-hospital-pays-ransomware-but-doesnt-get-files-decrypted

Regardless, so far based on "track record" for DMA Locker - for v3, no tools can reliably decrypt - see
decryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once we buy the private key, it can be reused for several victims.
 works offline: yes
 prefix: !DMALOCK3.0
https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/
0
 
total123Author Commented:
I understand, problem is, the customer has no option at the moment. either you don't pay, so you have nothing or you do pay, with the chance to get something and at the same time, you could get nothing.

the customer is screwed if they have nothing anyway. 4 bitcoins isn't going to be missed if they get screwed over. I do feel sorry for them. But then they had been warned about these sort of issues out there.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
btanExec ConsultantCommented:
Since it is last resort and they understand to undertake the risk then only the cybercriminal is the one whom can answer if their tools can recover the data. I advised not to trust those sites XXX for recovery..

It is not worst off if you still going ahead to pay ransom as compared to try out as apparently, versions 1 and 2 are decryptable - versions 3 and 4 are not.
Unfortunately, the Malwarebytes article DMA Locker Strikes Back (link is external) has been updated and notes that "the latest version: 3.0 (discovered 22-th Feb) fixed the bug in the cryptography implementation. Due to this fact, encrypted files cannot be recovered by external tools", so you might be out of luck if you were actually infected with v3.0 of this malware.
You can submit an encrypted file and the ransom note to ID-Ransomware for confirmation on the version. Alternatively, the DMA identifier can be recognized by an 8 byte long prefix at the beginning of the encrypted file content. In version 1 the prefix is ABCXYZ11, in version 2 the prefix is !DMALOCK, in version 3 the prefix is !DMALOCK3.0 and in version 4 the prefix is !DMALOCK4.0.
0
 
total123Author Commented:
We've managed to get 4 bitcoins across to the hacker and they have provided the goods. two pc's are now working. just getting the data from them and looking to format. the server is decrypting.

an honest hacker, who would have thought.
0
 
btanExec ConsultantCommented:
Luckily there is one true hacker that stand by his words.
Do scan the tool and machine - but best to just rebuild the machine to clean slate instead and move on.
0
 
total123Author Commented:
I've had a query. Anybody know if the files that were encrypted have any reference to the encryption code and could have some kind of timed system in place that could encypt them again.
we have formatted the server and pc's, so there should be no programs live on the system.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.