Bootleg DMA Locker spotted exploiting Remote Desktop.
Bootleg DMA Locker spotted exploiting Remote Desktop.

Malwarebytes researchers spotted a stolen version of the DMA Locker ransomware exploiting users via weakly protected Remote Desktop.

The stolen ransomware variant appears to have been built based on one and the same instance of DMA Locker meaning that all variants use the same key allowing users to get their data back via a private key which is already available to infected users for free, according to a May 29 blog post.

The stolen version has the same graphic user interface, GUI, and the its designers removed the keywords referring to DMA Locker from the ransomware note. The biggest difference between the original and the stolen version is the use of a different marker at the beginning of the encrypted file.

Researchers noticed several prefix patterns including !XPTLOCK5.0, !Locked#2.0, !Locked!###, and !Encrypt!##, all of which are changed periodically. Users should ensure their Remote Desktop, if open, is always properly secured to prevent infection.

Malware piracy is nothing new and one could easily find hacking-related forums of people who crack and publish malware builders, sold by their authors to cybercriminals, Malwarebytes Lead Malware Intelligence Analyst Chris Boyd told SC Media.

“By this way, people are entering to this field skipping to pay the original authors. In case of ransomware, there were already some source codes published, that allowed to script kiddies compile their own versions,” the researcher said. “But this case goes even further - using a ready-made binary, threat actor put a minimal effort to adapt it for himself.”

He went on to say the phenomenon is another example of how little knowledge is required to be a ransomware distributor.