{
	"id": "b5ce6a43-2141-4bff-81b9-dc6467b17e36",
	"created_at": "2026-04-06T00:12:54.871556Z",
	"updated_at": "2026-04-10T13:11:45.773157Z",
	"deleted_at": null,
	"sha1_hash": "ad3daa8c6350e07ede9c1a68c576bd63b8cbbf76",
	"title": "DMA Locker: New Ransomware, But No Reason To Panic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 489318,
	"plain_text": "DMA Locker: New Ransomware, But No Reason To Panic\r\nBy hasherezade\r\nPublished: 2016-02-01 · Archived: 2026-04-05 21:12:02 UTC\r\nDMA Locker is another ransomware that appeared at the beginning of this year. For now it has been observed to\r\nbe active only on a small scale (source) – but we just want to warn you that it exists.\r\n[UPDATE] READ ABOUT THE LATEST VERSION OF DMA LOCKER: 4.0\r\nUPDATE [4 Feb 2016]: I apologize to everyone misguided by my rush conclusions about the crypto. After\r\nfurther analysis and consultation with other analysts (special thanks to @fwosar and @maciekkotowicz) I\r\nconfirmed that in reality it is AES in ECB mode. Low entropy was just caused by the fact, that it encrypts\r\nseparately 16 byte chunks, that are small enough to give this effect. Authors of the malware told many lies in their\r\nransom note, but this one was true, just my mistake. The only way to recover the key is to find the original sample\r\nwith key included. My goal is always to provide best quality analysis – this time I failed, but I tried to fix it as\r\nsoon as possible and not let the false information spreading.\r\nAnalyzed samples\r\nd35344b1f48764ba083e51438121e6a9 – Polish version type 2 (from Jan 2016) \u003c- main focus of this\r\nanalysis\r\n4190df2af81ece296c465e245fc0caea – English version type 2 (from Jan 2016)\r\n6fbd3cdcafd6695c384a1119873786aa – Polish version type 1 (from Dec 2015)\r\n// Special thanks to malware hunters: @PhysicalDrive0 , @JAMESWT_MHT and @siri_urz for their respective\r\nhelp in collecting the samples!\r\nBehavioral analysis\r\nWhen deployed, the ransomware moves itself into C:ProgramData (or C:Documents and SettingsAll\r\nUsersDokumenty), renamed to fakturax.exe and drops another, modified copy: ntserver.exe. File faktura.exe is\r\nremoved after execution. Depending on its version, it may also drop some other files in the same location.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 1 of 11\n\nSymptoms of this ransomware can be recognized by a red window popping up on the screen. So far, it has been\r\nobserved in two language versions – Polish or English. An example of the English is below:\r\nEarlier version comes with a bit different GUI (also Polish or English variant):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 2 of 11\n\nIn contrast to other ransomware that are offering a separate decrypter, DMA Locker comes with a decrypting\r\nfeature built-in. It is available from the GUI with ransom note. If the user enters a key (32 characters long) in the\r\ntext field and clicks the button, the program switches to the decryption mode (using supplied key):\r\nThe program is not very stable and may crash during encryption. An older version has been observed to\r\nsometimes crash after finishing encryption – but before displaying any info about what happened, which may be\r\nvery confusing for the victim. What makes things worse is the fact that it does not change file extensions. So, in\r\nsuch a case the only visible symptom will be that the attacked person cannot open some of his/her files.\r\nNewer versions also add keys to the autorun. One is to deploy a dropped copy of the program, and the other to\r\ndisplay a ransom note in TXT format (via notepad). However, the copy of the program (DMALOCK\r\n41:55:16:13:51:76:67:99ntserver.exe) – is not always dropped successfully and then only the TXT note may be\r\ndisplayed.\r\nDetection\r\nIt is detected by Malwarebytes Anti-Malware as Ransom.DMALocker:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 3 of 11\n\nExperiment\r\nIn the ransom note, the authors mention that the data is encrypted by AES and RSA. Let’s look at the files.\r\nAfter the first look at encrypted content we can see repetitive patterns and entropy is relatively low.\r\nLeft – raw bytes of original BMP, right – the same BMP encrypted by DMA Locker:\r\nLet’s compare some more files and see how they changed after being encrypted by DMA Locker.\r\nExample 1 – HTML files:\r\ncomparison of original files:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 4 of 11\n\ncomparison of the same files encrypted:\r\nExample 2 – PNG files:\r\ncomparison of original files:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 5 of 11\n\ncomparison of the same files encrypted:\r\nAs we can see, when the beginnings of original files are identical, the beginnings of encrypted outputs also are.\r\nBut it seems that encryption is done in some chunks – possibly 8 or 16 bytes at once. Look at the comparison of\r\nPNG files – from 0x10 they have been encrypted differently – although they both have zeros at positions 0x10,\r\n0x11…\r\nInside\r\nThis ransomware is distributed without any packing and no defense against analysis has been observed. All the\r\nused strings and called API functions are in plain text. In fact, the malware even “helps” the analyst by  providing\r\na lot of debug strings describing all it’s activities (original + translation):\r\n[+] Plik jest aktualnie zaszyfrowany, pomijanie.. //The file is already encrypted, skipping.. [*] Roz\r\nThanks to the logs, finding important part of the code is trivial!\r\nAt the beginning of the execution a new thread is deployed – whose role is to check for the presence of following\r\nprocesses:\r\nrstrui.exe\r\nShadowExplorer.exe\r\nsesvc.exe\r\ncbengine.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 6 of 11\n\nIf any of them is detected, malware tries to terminate it. Just after deploying this thread malware logs (in Polish):\r\n“[+] Blocking processes of system recovery“\r\nInstead of a list of attacked extensions, this malware contains two blacklists. One for directories:\r\nand another for file extensions:\r\nFiles that contain in their path blacklisted substrings are skipped.\r\nMalware enumerates all the files – browsing first logical drives, after that network resources – trying to encrypt\r\neach and every file (except the blacklisted)\r\nA single flag decides whether the malware is in encryption or decryption mode:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 7 of 11\n\nEncryption (as well as decryption) is deployed in a new thread:\r\nEncryption key\r\nThe encryption key is 32 byte long. In newer version of the malware it is hard-coded at the end of the original file,\r\nand then read. However, there is a twist.\r\nDuring execution, two copies of the original file are dropped: fakturax.exe and ntserver.exe – but only\r\nfakturax.exe contains the key – ntserver.exe have it cleaned. After reading the key, fakturax.exe is removed and\r\nthe key is lost along with it. That’s why, we can easily recover the key if, by any means, we managed to persist the\r\noriginal copy of the malware sample (it is not a problem if we know the source of infection, i.e in case if the\r\nmalware arrived as an e-mail attachment).\r\nIn the examined variant of the malware (referred as the type 2, i.e 4190df2af81ece296c465e245fc0caea) – it was\r\nenough to find the key at the end of the original sample (*WARNING: this is not the original key of this sample.\r\nIt has been used just to present how it works and where the real key can be found. Before trying to recover\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 8 of 11\n\nfiles, make sure that you made their backup, just in case if in some other editions the algorithm would be\r\ndifferent.)\r\nand enter it to the text field:\r\nin order to get all the files back.\r\nEncryption algorithm\r\nAuthors claimed that they used AES and RSA. How it looks from the side of code?\r\nFile is encrypted chunk by chunk – single unit have 16 bytes (4 DWORDs). The key is 32 bytes long, and is\r\npreprocessed before the encryption. Both elements – the preprocessed key and a chunk of the input file – are\r\ncopied to a buffer, that is supplied to the encrypting procedure.\r\nBelow – a sample file: square.png processed by the encrypting function. Used key: “11111…”. (The copied\r\nchunk of the file has been selected on the picture)\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 9 of 11\n\nafter encryption (output marked gray):\r\noutput is then copied back to the original buffer, containing the full file. Every encrypted file has a content\r\nprefixed by “ABCXYZ11” – a magic value, used by the ransomware to recognize encrypted files (it has been\r\nintroduced in the newer version). Below, we can see the sample file after being dumped on the disk.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 10 of 11\n\n16 byte long chunks of file are encrypted by AES in ECB mode.\r\nConclusion\r\nFirst of all, not all what malware authors tell is true. In this case the key was neither RSA encrypted, nor randomly\r\ngenerated – just stored in the original file.\r\nSecond – immediately removing the malware is not always the best solution – sometimes we may need it to\r\nrecover the data.\r\nIf you encountered a ransomware, it is better to try to gather information about it before taking any steps. In case\r\nyou cannot find any information, the best way is to make a topic on the forum of your favorite vendor or contact\r\nsome known analyst. We are in a constant search of samples of new threats, trying to describe and solve the\r\nproblems.\r\nAnd remember: only some families are really nasty. Other, like i.e LeChiffre have implementation flaws allowing\r\nto recover files.\r\nAppendix\r\nhttps://forum.4programmers.net/Hardware_Software/264028-dma_locker_-_zaszyfrowane_pliki – a thread on a\r\nPolish forum, created by a user infected by DMA Locker\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"
	],
	"report_names": [
		"dma-locker-a-new-ransomware-but-no-reason-to-panic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434374,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad3daa8c6350e07ede9c1a68c576bd63b8cbbf76.pdf",
		"text": "https://archive.orkl.eu/ad3daa8c6350e07ede9c1a68c576bd63b8cbbf76.txt",
		"img": "https://archive.orkl.eu/ad3daa8c6350e07ede9c1a68c576bd63b8cbbf76.jpg"
	}
}