Ransomware: DMA Locker

Ransomware: DMA Locker

Cybercrime is causing major problems for businesses everywhere as files are essentially ‘kidnapped’ through encryption and only decrypted when a fee is paid.  ACUTEC has written about ransomware before, but now we have experienced fighting against a brand new strain that is beginning to affect the people we work with.

DMA Locker was discovered at the beginning of year and only last week one of our clients experienced the pain and disruption of this new form of ransomware.  It works in the same way as CryptoLocker but is more intelligent.  It does not change the extension name of a file, so a word doc. file will remain a doc. even if it is affected.  Furthermore documents remain openable they are just not readable.

With the old strains of ransomware mapped drives or shortcuts to propagate the network and server shares were needed to be able to affect a PC.  With DMA Locker the network is scanned for any available share so if the user has access it will encrypt everything that is available, therefore when restoring the system a full server restore is needed not just the data shares, making backups absolutely critical.

ACUTEC have been able to work against this new strain of ransomware.  DMA Locker pulls data from files once they have been infected.  If said text files exist on an uninfected system by being put there manually then the DMA Locker will believe the system is already infected and not attack.

Ransomware is becoming increasingly more common and once it happens there is not much that can be done.  There is no guarantee that if you pay the fee that your files will be decrypted.  If it happens to you or someone else in your business then you should immediately shut down the machine to ensure that further damage cannot occur. It is essential that this form of cybercrime is prepared for in advance by ensuring that you have taken the steps to have regular backups of your system so that your critical data is not held ransom.