Hasherezade, a Malwarebytes security researcher, has taken down the most recent version of the DMA Locker ransomware in an attempt to better understand it. She said the new DMA ransomware had made big improvements before its distribution and had great quality overall at the moment.
In January this year, the first version of the DMA Locker came to the surface. According to experts, the ransomware was nothing but a joke and had some flaws in it which included the decryption key which was entirely hardcoded into the ransomware binary. The ransomware was working as a decrypter as a result. As a result of the weakness of the ransomware, the researchers did not have any problems with the creation of a decrypter that could be used in helping them to recover user files. The DM Locker version 2.0 also had flaws in it after it appeared a month after the first one. However, experts and security researchers apparently noted an improvement from the first version.
From then on the ransomware became more and better as version 3.0 came and software security analysts were dumbfounded on how to crack it. The ransomware featured some signs of a better encryption system than its predecessors.
The development of the DM Locker ransomware grew after that as the version 4.0 shows. The new version was noticed by Hasherezade a few days ago, and many improvements are contained in the new software. The improvements and enhancements take the ransomware from the mediocre class that it was part of an elevated it to the top with the other big boys.
It uses a C&C server now instead of the single encryption key which was previously hard-coded in the ransomware as with the first version. The ransomware can now also generate unique AES encryption keys for each file they take hold of and can encrypt these keys with a key from the public RSA key taken from the C&C server.
Unlocking the files requires a key partner for RSA, which is the private version of it and is never used to touch users computers. For obtaining this key, users now have to contact the ransomware owners. This is one big change from the previous versions.
Just like other big boys on the market, the ransomware is now automated and has its private website where users locked out of their computers can now pay their ransoms. This is a big improvement from the way it was handle before were the user had to contact the authors via email and get the decryption keys.
The website, however, is not fully functional at the moment, and the free test decryption does not give a decrypted file in return. The website is also on the public internet and easily susceptible for a takedown.
The ransomware has clearly made huge strides, but it is not where the big boys are yet but with some few tweaks, it will get there.