A new ransomware family that appeared at the start of 2016 has been cracked by security researchers from Malwarebytes, who have identified a method of obtaining the encryption key without paying the ransom.
This new ransomware, named DMA, first appeared in Poland, and its early versions featured a ransom note only in Polish.
As the ransomware’s authors perfected their code, subsequent versions also added English ransom notes and spread to other countries.
Users can tell if they’ve been infected with the DMA ransomware strain by the presence of an intense red ransom note that asks them for 2 Bitcoin (around $800) to decrypt their files.
DMA ransomware is the work of an amateur
After analyzing a few DMA samples, the Malwarebytes security team concludes that this is the work of a beginner. Despite advertising in their ransom note that they used an AES-256 key to encrypt files and then secured that key via an RSA-2048 cipher, security researchers have discovered that DMA actually employs a custom crypto algorithm.
Additionally, the ransomware wasn’t protected against reverse engineering, allowing security researchers easy access to its source code, including all code comments.
But DMA’s main issues aren’t with this or the encryption algorithm, but with the way the encryption key is moved around between files.
First epic fail: DMA ransomware encryption key comes hard-coded in one of its binaries
Usual DMA infections occur by downloading and running a malicious file received via spam email. When the DMA ransomware installs itself via these files, it creates a file called facturax.exe, which is later deleted after the ransomware encrypts all files.
This file contains the encryption key, hard-coded in its binary, and to obtain it, users only have to re-download the malicious file they received via the spam email.
Users can take any hex editor application and analyze the factura.exe file and extract the encryption key that was used to lock their files. This encryption key is usually found at the end of the file (image below).
Second epic fail: DMA also comes with a built-in decrypter
In most cases, ransomware only encrypts files, and if the user wants to decrypt them, they’ll have to pay the ransom, after which they’ll receive a separate application, called decrypter, which will unlock their files.
This is not the case with the DMA ransomware because its author thought it would be a good idea to embed the decrypter right inside the ransom note, creating dual-mode ransomware that can encrypt and decrypt files from the same source code. This encryption key would normally be delivered to users via email after they paid the ransom.
But with the encryption key in hand, users only have to type in this key inside the ransom note and unlock their files.
Even if the ransomware’s authors may have been alerted by Malwarebytes’ article on the presence of the encryption key at the end of the facturax.exe binary and may remove it, Malwarebytes’ team has also said that they were able to crack the encryption algorithm, which they plan to reveal in the upcoming days.
Either way, the DMA ransomware project needs to completely overhaul its code if it wants to be an efficient cyber-threat. Since this may require its authors to rewrite most of their code, they might very well choose to abandon the DMA ransomware family altogether.