Stolen DMA locker variant pwning Remote Desktop uses known private key

News by Robert Abel

Pirated malware was built on a stolen version of DMA Locker which uses same key and graphical user interface as cracked version.


Malwarebytes researchers spotted a stolen version of the DMA Locker ransomware exploiting users via weakly protected Remote Desktop.

The stolen ransomware variant appears to have been built based on one and the same instance of DMA Locker meaning that all variants use the same key allowing users to get their data back via a private key which is already available to infected users for free, according to a May 29 blog post.

The stolen version has the same graphic user interface, GUI, and the its designers removed the keywords referring to DMA Locker from the ransomware note. The biggest difference between the original and the stolen version is the use of a different marker at the beginning of the encrypted file.

Researchers noticed several prefix patterns including !XPTLOCK5.0, !Locked#2.0, !Locked!###, and !Encrypt!##, all of which are changed periodically. Users should ensure their Remote Desktop, if open, is always properly secured to prevent infection.

Malware piracy is nothing new and one could easily find hacking-related forums of people who crack and publish malware builders, sold by their authors to cybercriminals, Malwarebytes Lead Malware Intelligence Analyst Chris Boyd told SC Media.

“By this way, people are entering to this field skipping to pay the original authors. In case of ransomware, there were already some source codes published, that allowed to script kiddies compile their own versions,” the researcher said. “But this case goes even further - using a ready-made binary, threat actor put a minimal effort to adapt it for himself.”

He went on to say the phenomenon is another example of how little knowledge is required to be a ransomware distributor.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews