Ransomware has become a popular criminal business with a relatively easy entrance. Even the people with little technical knowledge can build their own ransomware-based on open source code, that has been published on the internet some time ago. Nevertheless, cybercriminals keep stealing, not only from victims but also from each other. Some time ago we heard about PetrWrap – a ransomware built upon a binary of the infamous Petya. But that is not the only case. For some time, we have been observing a threat actor who distributes patched DMA Locker binaries.
Real or stolen DMA Locker – why would you care?
The observed samples of the stolen version of DMA Locker have been built based on one and the same instance of DMA Locker – so, they carry inside the same public key. This implies, that all the victims of this version can get their data back with the help of the same private key. And now comes the best part: we have this key and we distribute it for free to all affected persons.
If you are a victim of the fake DMA Locker, you can send e-mail with samples of you encrypted files to: hasherezade-at-gmail.com
How to recognize the stolen versions?
Since the fake DMA Locker is based on the binary of the original DMA Locker 3.0, they have exactly the same GUI – only the keywords referring to DMA Locker has been removed:
The main difference between the original and stolen DMA Locker is a different marker at the beginning of the encrypted file. While the real DMA Locker prefixes content with: !DMALOCK, the stolen version have many different prefix patterns. Some we have observed are:
However, the threat actor changes them periodically – so, anything that is different from the standard pattern may suggest that we are dealing with the “pirated”, decryptable version.
An example of the file encrypted by the fake DMA Locker:
Appendix Currently in distribution is version 3.0 of DMALocker, since the development of 4.0 was abandoned. Read more about our research:”>