Solved

dma locker 3 query

Posted on 2016-08-23
7
411 Views
Last Modified: 2016-09-14
Hi, I have a client who has been done over with dma locker 3 and also had there only backup , which was on a local nas.
I had twice tried selling them cloud backup and Dr.

At the moment, there only option is to pay the ransome, I've googled how to decrypt dma locker 3 and see loads of site offering to decrypt for x amount.
Are these sites fake ?
0
Comment
Question by:total123
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:btan
ID: 41766841
If that is the last resort, you will try the last attempt to share story that pay but did not work out
The hospital paid the ransom, but the decryption key was not provided. Instead, the extortionists asked for a second, larger payment in exchange for the key. Duick says they didn’t get it, but he declines to specify how much they were asking for.

It’s not like these are trustworthy people in the first place, but now they can’t even stick by their own business model.
http://www.extremetech.com/extreme/229162-hospital-pays-ransomware-but-doesnt-get-files-decrypted

Regardless, so far based on "track record" for DMA Locker - for v3, no tools can reliably decrypt - see
decryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once we buy the private key, it can be reused for several victims.
 works offline: yes
 prefix: !DMALOCK3.0
https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/
0
 

Author Comment

by:total123
ID: 41766868
I understand, problem is, the customer has no option at the moment. either you don't pay, so you have nothing or you do pay, with the chance to get something and at the same time, you could get nothing.

the customer is screwed if they have nothing anyway. 4 bitcoins isn't going to be missed if they get screwed over. I do feel sorry for them. But then they had been warned about these sort of issues out there.
0
 
LVL 63

Expert Comment

by:btan
ID: 41766900
Since it is last resort and they understand to undertake the risk then only the cybercriminal is the one whom can answer if their tools can recover the data. I advised not to trust those sites XXX for recovery..

It is not worst off if you still going ahead to pay ransom as compared to try out as apparently, versions 1 and 2 are decryptable - versions 3 and 4 are not.
Unfortunately, the Malwarebytes article DMA Locker Strikes Back (link is external) has been updated and notes that "the latest version: 3.0 (discovered 22-th Feb) fixed the bug in the cryptography implementation. Due to this fact, encrypted files cannot be recovered by external tools", so you might be out of luck if you were actually infected with v3.0 of this malware.
You can submit an encrypted file and the ransom note to ID-Ransomware for confirmation on the version. Alternatively, the DMA identifier can be recognized by an 8 byte long prefix at the beginning of the encrypted file content. In version 1 the prefix is ABCXYZ11, in version 2 the prefix is !DMALOCK, in version 3 the prefix is !DMALOCK3.0 and in version 4 the prefix is !DMALOCK4.0.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:total123
ID: 41778035
We've managed to get 4 bitcoins across to the hacker and they have provided the goods. two pc's are now working. just getting the data from them and looking to format. the server is decrypting.

an honest hacker, who would have thought.
0
 
LVL 63

Expert Comment

by:btan
ID: 41778211
Luckily there is one true hacker that stand by his words.
Do scan the tool and machine - but best to just rebuild the machine to clean slate instead and move on.
0
 

Author Comment

by:total123
ID: 41780080
I've had a query. Anybody know if the files that were encrypted have any reference to the encryption code and could have some kind of timed system in place that could encypt them again.
we have formatted the server and pc's, so there should be no programs live on the system.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41780865
The type of Ransomware based on idransomware and Crypto sheriff will reveal indirectly what is the cipher used. From the random notes, it may normally states the crypto key used. Not possible to straight off tell for the encrypted files.
DMA Locker 3.0 is associated with several infamous ransomware including HELP_DECRYPT, CryptoLocker and RSA-2048.
The so called timed system is from the Registry setting i.e. Run keys. For example, the following registry files generated by DMA Locker 3.0:

HKEY_LOCAL_MACHINESOFTWAREsupWPM
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKLM\SOFTWARE\Classes\AppID\<random>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]
These are mainly their means of persistence.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
antispam / virus gateway 5 72
Microsoft scam computer 10 81
Virus that hides folders 6 57
Windows Security Pop-Up 7 73
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question