{"id":7777,"date":"2017-05-29T12:10:14","date_gmt":"2017-05-29T20:10:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/29\/news-1562\/"},"modified":"2017-05-29T12:10:14","modified_gmt":"2017-05-29T20:10:14","slug":"news-1562","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/05\/29\/news-1562\/","title":{"rendered":"A stolen version of DMA Locker is making the rounds"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Mon, 29 May 2017 14:21:41 +0000<\/strong><\/p>\n

Ransomware has become a popular criminal business with a relatively easy entrance. Even the people with little technical knowledge can build their own ransomware based on open source code, that has been published on the internet some time ago. Nevertheless, cybercriminals keep stealing, not only from victims, but also from each other. Some time ago we heard about\u00a0PetrWrap<\/a> – a ransomware build upon a binary of the infamous Petya. But that is not\u00a0 the only case. For some time, we have been\u00a0observing a threat actor<\/a> who distributes patched DMA Locker binaries.<\/p>\n

Real or stolen DMA Locker – why would you\u00a0care?<\/h3>\n

The observed samples of the stolen version of DMA Locker\u00a0have been built based on one and the same instance of DMA Locker – so, they\u00a0carry inside the same public key. This implies, that all the victims of this version can get their data back with the help of the same private key. And now comes the best part: we have this key and we distribute it for free to all affected persons.<\/p>\n

If you are a victim of the fake DMA Locker, you can send e-mail with samples of you encrypted files to: hasherezade-at-gmail.com<\/em><\/p>\n

How to recognize the stolen versions?<\/h3>\n

Since the fake DMA Locker is based on the binary of the original DMA Locker 3.0, they have exactly the same GUI – only the keywords referring to DMA Locker has been removed:<\/p>\n

\"\"<\/p>\n

The main difference between the original and stolen DMA Locker is a different marker at the beginning of the encrypted file. While the real DMA Locker prefixes content with: !DMALOCK, the stolen version have many different prefix patterns. Some we have\u00a0observed are:<\/p>\n