I had a computer hit by DMALOCK3, a more advanced version of DMALOCK I guess? All the files have been prefixed by the word '!DMALOCK3.0'. I have been able to compare the pre-attack files with the attacked files and see that, apart from the '!DMALOCK3.0' prefix, the encryption seems to have been done in 16-byte chunks. Every instance of a given set of 16 bytes has resulted in identical encryption, for instance where we have a string of values of 255 across bytes 161 to 176, this results in an encrypted output of 172,218,206,128,120,163,43,26,24,43,250,73,135,202,19,71 across the equivalent 16 bytes (after allowing for the 11-byte offset created by the prefix), and is 100% consistent. Similarly where we have a string of values of 0 across bytes 1169 to to 1184, this results in an encrypted output of 220,149,192,120,162,64,137,137,173,72,162,20,146,132,32,135 across the equivalent 16 bytes (again after allowing for the 11-byte offset created by the prefix).
I contacted a specialist company who asked me to send them a copy of a file called "cryptinfo.txt" which got left in the C:\programdata folder and contains a message including a Unique ID consisting of 8 blocks of 2-digit numbers separated by colons. As soon as they received this file, they claimed they can decrypt the entire set of data, which suggests that the information provided is sufficient for them to find the key and decrypt the data, but at a huge cost, way more than the value I put on the data! By my logic, if this is the case then surely anyone with sufficient knowledge could, with the information I have, do likewise?
Happy to send across samples of some of the 'before' and 'after' files to anyone interested.
The encryption is reportedly AES in ECB mode and the key is reportedly 32 bytes long.