Stolen DMA Locker variant exploits Remote Desktop
By Prempal Singh
Malwarebytes researchers spotted a thieved version of the DMA Locker ransomware exploiting users via weakly protected Remote control Desktop.
The stolen ransomware variant appears to have been built based upon one and the same example of DMA Locker interpretation that all variants use the same key allowing users to get their data back via a private key which is already accessible to infected users for free.
The stolen version has the same visual graphical user interface, GUI, and its designers removed the keywords referring to DMA Locker from the ransomware note. The largest difference between the original and the stolen version is the use of a different marker at the start of the protected file.
Researchers noticed several prefix patterns including! XPTLOCK5. 0,! Locked#2. 0,! Locked! ###, and! Encrypt! ##, all of which are changed periodically. Users should ensure their Remote Desktop, if open, is always properly secured to prevent infection.
Malware piracy is nothing new and one could easily find hacking-related forums of folks who split and publish malware contractors, sold by their writers to cyber criminals, Malwarebytes Malware Intelligence Analyst Aleksandra Daniel told SC Media.
“By this way, people are going into this field missing to pay the original authors. In the event of ransomware, there were already some source codes published, that allowed to script kiddies gather their own versions, Doniec said. “But this situation goes even further – by using a ready-made binary, danger actor put a nominal effort to adapt it to himself. ”
This individual went on to express the phenomenon is another type of how little knowledge is necessary to be a ransomware distributor.
Source: www.scmagazine.com