Solved

dma locker 3 query

Posted on 2016-08-23
7
105 Views
Last Modified: 2016-09-14
Hi, I have a client who has been done over with dma locker 3 and also had there only backup , which was on a local nas.
I had twice tried selling them cloud backup and Dr.

At the moment, there only option is to pay the ransome, I've googled how to decrypt dma locker 3 and see loads of site offering to decrypt for x amount.
Are these sites fake ?
0
Comment
Question by:total123
  • 4
  • 3
7 Comments
 
LVL 61

Expert Comment

by:btan
ID: 41766841
If that is the last resort, you will try the last attempt to share story that pay but did not work out
The hospital paid the ransom, but the decryption key was not provided. Instead, the extortionists asked for a second, larger payment in exchange for the key. Duick says they didn’t get it, but he declines to specify how much they were asking for.

It’s not like these are trustworthy people in the first place, but now they can’t even stick by their own business model.
http://www.extremetech.com/extreme/229162-hospital-pays-ransomware-but-doesnt-get-files-decrypted

Regardless, so far based on "track record" for DMA Locker - for v3, no tools can reliably decrypt - see
decryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once we buy the private key, it can be reused for several victims.
 works offline: yes
 prefix: !DMALOCK3.0
https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/
0
 

Author Comment

by:total123
ID: 41766868
I understand, problem is, the customer has no option at the moment. either you don't pay, so you have nothing or you do pay, with the chance to get something and at the same time, you could get nothing.

the customer is screwed if they have nothing anyway. 4 bitcoins isn't going to be missed if they get screwed over. I do feel sorry for them. But then they had been warned about these sort of issues out there.
0
 
LVL 61

Expert Comment

by:btan
ID: 41766900
Since it is last resort and they understand to undertake the risk then only the cybercriminal is the one whom can answer if their tools can recover the data. I advised not to trust those sites XXX for recovery..

It is not worst off if you still going ahead to pay ransom as compared to try out as apparently, versions 1 and 2 are decryptable - versions 3 and 4 are not.
Unfortunately, the Malwarebytes article DMA Locker Strikes Back (link is external) has been updated and notes that "the latest version: 3.0 (discovered 22-th Feb) fixed the bug in the cryptography implementation. Due to this fact, encrypted files cannot be recovered by external tools", so you might be out of luck if you were actually infected with v3.0 of this malware.
You can submit an encrypted file and the ransom note to ID-Ransomware for confirmation on the version. Alternatively, the DMA identifier can be recognized by an 8 byte long prefix at the beginning of the encrypted file content. In version 1 the prefix is ABCXYZ11, in version 2 the prefix is !DMALOCK, in version 3 the prefix is !DMALOCK3.0 and in version 4 the prefix is !DMALOCK4.0.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:total123
ID: 41778035
We've managed to get 4 bitcoins across to the hacker and they have provided the goods. two pc's are now working. just getting the data from them and looking to format. the server is decrypting.

an honest hacker, who would have thought.
0
 
LVL 61

Expert Comment

by:btan
ID: 41778211
Luckily there is one true hacker that stand by his words.
Do scan the tool and machine - but best to just rebuild the machine to clean slate instead and move on.
0
 

Author Comment

by:total123
ID: 41780080
I've had a query. Anybody know if the files that were encrypted have any reference to the encryption code and could have some kind of timed system in place that could encypt them again.
we have formatted the server and pc's, so there should be no programs live on the system.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41780865
The type of Ransomware based on idransomware and Crypto sheriff will reveal indirectly what is the cipher used. From the random notes, it may normally states the crypto key used. Not possible to straight off tell for the encrypted files.
DMA Locker 3.0 is associated with several infamous ransomware including HELP_DECRYPT, CryptoLocker and RSA-2048.
The so called timed system is from the Registry setting i.e. Run keys. For example, the following registry files generated by DMA Locker 3.0:

HKEY_LOCAL_MACHINESOFTWAREsupWPM
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKLM\SOFTWARE\Classes\AppID\<random>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]
These are mainly their means of persistence.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Read about achieving the basic levels of HRIS security in the workplace.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now