Security researchers are warning that the DMA Locker ransomware is now being distributed via the Neutrino exploit kit, potentially exposing users globally to mass infections.
First discovered in January this year, the variant was originally “too primitive to even treat it seriously,” according to Malwarebytes researcher ‘Hasherzade.”
More complexity was added in later versions but it was still possible to decrypt locked data.
However, now version 4.0 has been released, and it has fixed that security hole as it looks to gear up for mass distribution.
Usability improvements have been added, such as the option to decrypt a test file, and a link to a tutorial. The process of purchasing a key and payment is supported via dedicated panel now – with no human interaction required as per previous versions.
Interestingly the website linked to the ransomware is not hosted on Tor, with the same IP used as the C&C server.
However, DMA Locker 4.0 does make more of an effort to stay hidden from security tools.
“In the past, DMA Locker was distributed without any packing. The reason behind it was probably the chosen distribution method – samples were deployed manually by attackers, who accessed machines via hacked Remote Desktops. Attackers didn’t bother much about adding any deception layer,” explained Hasherzade.
“In this edition it has changed. DMA Locker comes packed in some underground crypter, that is used to protect the payload and deceive tools used for the detection.”
The ransomware is the same as previous versions, however, in that it’s been designed to attack local drives and unmapped network shares.
The discovery by Malwarebytes reveals an interesting snapshot into the development work that goes into producing ransomware.
In the meantime, the scale of the problem continues to grow. There are no firm industry-wide estimates as to infection rates, but Trend Micro claimed to have blocked 99 million threats for its customers between October 2015 and April this year.