Home / malware

PDF

Ransom:Win32/DMALocker.A

First posted on 13 February 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/DMALocker.A.

Explanation :

Installation
This ransomware might be downloaded by other malware such as TrojanDownloader:O97M/Donoff as payload. When this ransomware is executed in the system, it can drop the file cryptinfo.txt in %common appdata%. It drops a copy of the malware as:

• "%common appdata%\svchosd.exe"
• "%common appdata%\fakturax.exe"
• "%common appdata%\ntserver.exe"

It also adds the following registry entries to enable the threat at system startup. The text file referenced value displays the ransom note: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "cssys"
With data: "c:\programdata\svchosd.exe" (REG_SZ)" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "cssys"
With data: "c:\programdata\ntserver.exe" (REG_SZ)
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "cryptedinfo"
With data: "notepad c:\programdata\cryptinfo.txt" (REG_SZ)

Payload



Encrypts files

Like any ransomware, this threat encrypts files.

After encrypting files in the system, it displays a ransom message and text file to ask for payment in Bitcoin currency.

See the Ransom:Win32/DMALocker.A encryption information, cryptinfo.txt, in Polish language below:



See the English translation of the Ransom:Win32/DMALocker.A encryption information, cryptinfo.txt, below:



See the screenshot of the Ransom:Win32/DMALocker.A lockscreen in Polish language below:



See the English translation of the Ransom:Win32/DMALocker.A lockscreen below:









Analysis by Marianne Mallen

Last update 13 February 2016

 

TOP