{
	"id": "f5fe17db-40e6-4c7d-b669-1e54a2618bf5",
	"created_at": "2026-04-06T01:29:06.287448Z",
	"updated_at": "2026-04-10T13:12:34.599017Z",
	"deleted_at": null,
	"sha1_hash": "c2667269687ce67377ccce7c562765ab89fad6b8",
	"title": "DMA Locker 4.0: Known ransomware preparing for a massive distribution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 579236,
	"plain_text": "DMA Locker 4.0: Known ransomware preparing for a massive\r\ndistribution\r\nBy hasherezade\r\nPublished: 2016-05-22 · Archived: 2026-04-06 00:13:50 UTC\r\nFrom the beginning of this year, we are observing rapid development of DMA Locker. First, the threat was too\r\nprimitive to even treat it seriously. Then it evolved to more complex but still decryptable ransomware.\r\nThe 3.0 edition was very similar to the previous one that we described, so we skipped posting about its details (the\r\nonly change was to fix the bug making it decryptable). Now we are facing an outbreak of version 4.0, coming with\r\nvarious changes.\r\nIn the past, DMA Locker was known from being installed on hacked Remote Desktops. New release has been\r\nfound distributed via exploit kit (Neutrino). This change is another step towards maturity of the malware, showing\r\nthat now this threat will be spreading on a bigger scale.\r\nDMA Locker development timeline\r\ndiscovered: January 2016 version: 1.0 crypto:\r\nfiles encrypted by AES-256 in ECB mode.\r\nAES key is the same for each attacked file, stored in the binary and erased after use.\r\ndecryptable: yes, if we have the original sample works offline: yes prefix: ABCXYZ11 read more: here\r\ndiscovered: 8 February 2016 version: 2.0 crypto:\r\nfiles encrypted by AES-256 in ECB mode\r\nAES key is randomly generated for each attacked file. After use, it is encrypted by RSA and stored in\r\nthe file\r\nRSA public key comes hardcoded in the binary.\r\ndecryptable: Yes. Due to the weak random generator AES key can be guessed. works offline: yes prefix:\r\n!DMALOCK read more: here\r\ndiscovered: 22 February 2016 version: 3.0 crypto:\r\nfiles encrypted by AES-256 in ECB mode\r\nAES key is randomly generated for each attacked file. After use, it is encrypted by RSA and stored in the\r\nfile\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 1 of 14\n\nRSA public key comes hardcoded in the binary.\r\ndecryptable: No, the previous bug has been fixed. However, RSA key is the same for full campaign and once\r\nwe buy the private key, it can be reused for several victims. works offline: yes prefix: !DMALOCK3.0\r\ndiscovered: 19 May 2016 version: 4.0 crypto:\r\nfiles encrypted by AES-256 in ECB mode, key is randomly generated for each file.\r\neach random AES key is encrypted by RSA and stored in the file\r\nRSA key pair is generated on the server (per client). The public key is downloaded.\r\ndecryptable: No. Neither RSA key can be reused. works offline: no prefix: !DMALOCK4.0 read more: in the\r\ncurrent article\r\nAnalyzed sample\r\n73f9bd05825cbe3cc9fc22b59806e1ac – original sample of DMA Locker 4.0 (in this form it is distributed)\r\nd74e6aa609d4b962b55ec47e29559c70 – unpacked\r\nBehavioral analysis\r\nIn contrast to the previous versions, DMA Locker 4.0 cannot encrypt files offline. It needs to download the public\r\nRSA key from its C\u0026C. That’s why, if the file has been opened on the computer without the internet connection, it\r\nwill just install itself and wait. If the machine is connected – it runs silently until it finish encrypting the files.\r\nThis time DMA Locker comes with a deception layer added – packed sample have an icon pretending a PDF\r\ndocument:\r\nAfter being run, it moves itself to the same location like it’s previous editions – C:ProgramData under the name\r\nsvchosd.exe:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 2 of 14\n\nIn addition to the main sample, we can see two additional files: select.bat and cryptinfo.txt.\r\ncryptinfo.txt is a ransom note, analogical to those that we know from the previous editions – only the content\r\nchanged. Now it is much shorter and contains a link to the individual website for the victim:\r\nScript select.bat is used to display this note just in case if the original executable has been removed:\r\nIt also adds registry keys for the persistence. This time the main sample – svchosd.exe – is saved under the name\r\nWindows Firewall and the script select.bat – under Windows Update :\r\nAfter it finishes the encryption process, a red window, similar to the one known form the previous editions pops\r\nup:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 3 of 14\n\nIn addition to the incremented version number, visible in the corner, we can see some slight usability\r\nimprovements. Following current trends, the option to decrypt a test file has been added. Also, there is a link to a\r\ntutorial.\r\nAs it was in the previous editions, extensions of the encrypted files are unchanged. We can recognize that they\r\nhave been attacked by this ransomware only by the prefix of the content. This time it is “!DMALOCK4.0”:\r\nExperiment\r\nIn the last editions, DMA Locker was using two algorithms for the encryption: AES – to encrypt the file content\r\nand RSA – to encrypt the randomly generated AES key. Let’s see if the patterns of the encrypted content are\r\nsimilar to those found before:\r\nLeft – raw bytes of original BMP, right – the same BMP encrypted by DMA Locker 4.0:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 4 of 14\n\nIndeed, again we can see patterns of original content reflected in the encrypted content, that suggest that some\r\nblock cipher has been used. We can suspect, that also in this case it is AES in ECB mode.\r\nAlso this time, every file is encrypted with a different key.\r\nNetwork communication\r\nThe feature that is new in this edition of DMA Locker is the communication with the C\u0026C (Command and\r\nControl) server. The generated traffic is not encrypted and we can easily see what for the C\u0026C is used.\r\nThe victim ID is generated server side (not like in some other cases of malware, where the generated locally ID is\r\nsent and registered to the C\u0026C). During the beaconing, bot receives it and stores in the registry as dma_id.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 5 of 14\n\nThe role of the C\u0026C is crucial, because the public key is not hardcoded this time, but generated per victim* and\r\ndownloaded:\r\n*logic of the application suggests, that keys are unique for each victim, but we don’t know what really happens on\r\nthe server side and if the keys are not being reused for some pool of victims\r\nBefore the windows pops up, it asks the C\u0026C about the individual data of the victim, that has to be displayed:\r\nWebsite for the victim\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 6 of 14\n\nMost of the ransomware provide a website for the victim, but what is surprising in case of DMA Locker 4.0 is the\r\nfact that the website is not on the Tor-based, but on a normal hosting. The same IP is used as the C\u0026C server.\r\nContent of the website is clean, but very simple – that may suggest early stage of development:\r\nThe same site is supposed to offer the service of decrypting the test file (opened by the button in GUI):\r\nHowever, during our tests this service was not working properly and we didn’t got any file back, although it has\r\nbeen successfully submitted:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 7 of 14\n\nInside\r\nIn the past, DMA Locker was distributed without any packing. The reason behind it was probably the chosen\r\ndistribution method – samples were deployed manually by attackers, who accessed machines via hacked Remote\r\nDesktops. Attacker didn’t bothered much about adding any deception layer.\r\nIn this edition it has changed. DMA Locker comes packed in some underground crypter, that is used to protect the\r\npayload and deceive tools used for the detection.\r\nWhen we open the original executable under the debugger, we will see the code of the crypter’s stub, that doesn’t\r\nmake much sense. The real payload is revealed after unpacking. It has similar structure to the previous editions of\r\nDMA Locker, but several new features are added.\r\nHow does the encryption work?\r\nEncryption follows similar steps like in the previous versions.\r\nThe main difference comes in the method of delivering the public RSA key. In the previous editions, the key was\r\none per campaign and it was stored hardcoded in the binary. Now it changed. The key is downloaded from the\r\nserver – along with the unique bot ID. Both are stored in the registry and fetched when needed.\r\nIndividual AES key is generated for each and every file just before encryption. Since version 3.0 of DMA Locker,\r\na weak random generator has been fixed. Now it uses a function CryptGenRandom from Windows Crypto API to\r\nfetch 32 random bytes that are used as a key:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 8 of 14\n\nJust like it was before, a file is read and divided into chunks. Then, the random key along with the buffer\r\ncontaining a single chunk is passed as a parameter to a new encrypting thread. For the content encryption, the\r\nsame AES implementation like in the previous versions has been used.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 9 of 14\n\nAfter the full content is processed, the RSA key is imported and used to encrypt the random AES key. The\r\nencrypted key is saved at the beginning of the file, just after the !DMALOCK4.0 tag.\r\nThen, the AES encrypted content is appended to the file. At the end, the random key is destroyed.\r\nLike in the previous edition, the same application can be used for decryption when the victim managed to get the\r\nappropriate RSA private key. Previously, the only way to communicate with the attacker and to purchase the key\r\nwas via e-mail. Now the payment is managed automatically and the private key is released on the server after\r\ncompleting the payment. Bot can automatically download it and perform the decryption.\r\nWhat is attacked?\r\nThis part remained unchanged. Like the previously described version (2.0) it attacks local drives as well as\r\nunmapped network shares. Instead of list of attacked extensions, DMA Locker comes with list of blacklisted\r\nextensions and paths, that are excluded from the encryption process.\r\nCommunication protocol\r\nDMA Locker communicates with it’s C\u0026C server by a simple, HTTP based protocol. Bot sends GET requests and\r\nserver responds in JSON. There are 6 actions, for which URLs are hardcoded in the bot:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 10 of 14\n\nJSON responses are then parsed with another dedicated function. Every status change is reflected in the red\r\nwindow. Example, showing setting appropriate string accordingly to the update received from the server:\r\nIn case if accessing the C\u0026C was not possible, the bot sets in window the hardcoded bitcon address:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 11 of 14\n\n…also, a hardcoded sum of 4 BTC:\r\nOld style communication via e-mail is still offered as a failsafe.\r\nActions\r\nParticular actions are recognized by their numerical identifiers. Below – action numbers and their meaning:\r\n0: get a unique id for the bot sample request:\r\nGET /crypto/gate?action=0\r\nsample response:\r\n{\"status\":0,\"id\":\"7D6FB84840584C6484EEAD3DB377409B\"}\r\n1: get the public RSA key sample request:\r\nGET /crypto/gate?action=1\u0026botId=7D6FB84840584C6484EEAD3DB377409B\r\nsample response (giving RSA public key):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 12 of 14\n\n{\"status\":0,\"rsa_public_key\":\"-----BEGIN PUBLIC KEY-----MIIBCgKCAQEAxPaoqNvUn8T52DtCr80OEJOa4bIXRDIRn\r\n2: report saving the public key sample request:\r\naction=2\u0026botId=7D6FB84840584C6484EEAD3DB377409B\r\nsample response:\r\n{\"status\":0}\r\n3: get information about the payment specific to the client:\r\nGET /crypto/gate?action=3\u0026botId=7D6FB84840584C6484EEAD3DB377409B\r\nsample response:\r\n{\"status\":0,\"minimum_btc_confirmations\":3,\"bitcoin_address\":\"1C8yA7wJuKD4D2giTEpUNcdd7UNExEJ45r\",\"ran\r\n4: check the transaction status\r\nGET /crypto/gate?action=4\u0026botId=7D6FB84840584C6484EEAD3DB377409B\u0026transactionId=66614538ca4e50f44c06cf\r\nsample response:\r\n{\"status\":7}\r\n5: get the private key (if released)\r\nsample request:\r\nGET /crypto/gate?action=5\u0026botId=070F39D8E01A4B71B8414352CDB186E9\r\nsample response:\r\n{\"status\":0,\"rsa_private_key\":\"[the key content goes here]\"}\r\n6: check bot status sample request:\r\nGET /crypto/gate?action=6\u0026botId=070F39D8E01A4B71B8414352CDB186E9\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 13 of 14\n\nsample response:\r\n{\"status\":0,\"bot_status\":1}\r\npossible bot statuses and their meanings:\r\n0: fresh 1: public key saved 3: \"Transaction and payment are confirmed. Getting decryption key...\"\r\nIf this action receives bot status 3 it directly execute the action 5, fetching the private key.\r\nStatuses\r\nEach action return some status. Most common is status 0 that is a standard “OK” response. Some of the statuses\r\nare translated to the displayed strings:\r\n2 - \"Transaction ID confirmed! Confirming your payment, please be patient, it can take 15-20 minutes\r\nConclusion\r\nDMA Locker started being seen at the beginning of this year and drew our attention by the fast quality\r\nimprovements. However, after a few months of seeing unchanged version 3.0, we got the impression that\r\ndevelopment of this ransomware got frozen.\r\nThe current edition shows that it is not true. This threat is still evolving and catching up with the features, known\r\nfrom other ransomware. So far it didn’t shown any novelty in the used techniques and we can rather expect a\r\nconventional attack from this side.\r\nThe recently observed changes suggest that the product is preparing to be distributed on a massive scale. Few\r\nimportant things got automated. Distribution is now exploit kit based – that makes it reach much more targets.\r\nPurchasing a key and managing payment is supported via dedicated panel – no longer human interaction is\r\nrequired.\r\nAppendix\r\nhttp://www.broadanalysis.com/2016/05/22/neutrino-from-104-238-185-187-sends-dma-locker-4-0/ – Neutrino EK\r\nsending DMA Locker 4.0\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/"
	],
	"report_names": [
		"dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution"
	],
	"threat_actors": [],
	"ts_created_at": 1775438946,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c2667269687ce67377ccce7c562765ab89fad6b8.pdf",
		"text": "https://archive.orkl.eu/c2667269687ce67377ccce7c562765ab89fad6b8.txt",
		"img": "https://archive.orkl.eu/c2667269687ce67377ccce7c562765ab89fad6b8.jpg"
	}
}