[UPDATE]
WARNING: This tool doesn’t work for the DMA Locker 3.0 (discovered 22-th Feb 2016) and above.
However, in case of DMA Locker 3.0 keys are NOT unique per victim – it means, if someone else bought a key with the same DMALOCK like the one you have, you can reuse his key to decrypt your data for free.
List of DMALOCKS for which I have the keys:
DMALOCK 40:81:32:43:44:56:12:16 <- NEW DMALOCK 67:81:52:65:25:74:36:27 <- NEW DMALOCK 69:82:39:62:30:32:63:53 <- NEW DMALOCK 71:37:14:49:39:38:52:28 DMALOCK 38:34:69:41:46:73:32:55 DMALOCK 40:12:16:43:65:40:70:17 DMALOCK 96:12:91:61:74:52:13:23
If you need any of them – or want me to redistribute your key to other victims, feel free to contact me.
Please contact me also in case if your encrypted files has one of the following prefixes:
- !XPTLOCK5.0
- !Locked#2.0
- !Locked!###
- !Encrypt!##
Example of the file beginning:
In some cases the help is possible!
Below, you can find the sourcecode and all the information about my old tool: DMA Unlocker (for DMA Locker 2.0). Mind the fact that this tool is obsolete an does not work for the current version of the malware. This information is available just as a case-study for other researchers.
source code (C++): https://github.com/hasherezade/decryptors_archive/tree/master/dma_unlocker
I managed to crack some of the variants of DMA Locker 2.0 ransomware (version with RSA key), described [here].
For those who are hit by this version, here is an experimental decryptor for it.

Sample hexdump of an encrypted file
DOWNLOAD
DMA Locker has been released in several variants – some are decryptable and others (starting from version 3.0) are not. Here you can find decryptors for the versions that I cracked.
Version of decryptors: 0.0.7.1 Tested on Windows 7 32/64 bit
- DMA Locker Variant#1 (from 8-th Feb) – most common type :
-
[download decryptor] (DMA.exe md5=9cab5ad02b2b158e7fecf13f9f3f3626)
- sample locks:
-
- DMA Locker Variant#2 (form 15-th Feb)
[download decryptor] (DMA.exe md5=a46a0f5bb6ed5e944c06071fed640550)
- sample locks:
NOTICE: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will unlock or decrypt your files. This tool should not be considered an official solution to the DMA Locker problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.

DMA Unlocker is a command line tool. That’s how it looks in action
See how it works on demo files *
*Decryption process is sensitive for files’s timestamps. Please don’t overwrite them. Unpack the demo sets by 7zip
Read also the thread on Twitter: https://twitter.com/hasherezade/status/700304598205120512
WARNING:
This is an experimental version of DMA Unlocker. It has been tested with several customers and helped to recover many of their files.
However, it is not the final version, so sometimes it may not work.
Also, it’s performence is not yet optimized so it needs patience at the beginning of running (may take up to few hours).
In case of any problems, please contact me: hasherezade@gmail.com
HOW TO USE:
Please unpack this ZIP to the directory that you want to decrypt. Alternatively, you can deploy it from a commandline with a path to the infected directory as a parameter, i.e:
DMA.exe "C:\Users\tester\Documents\Demo_files"
It must be an original directory, not a copy.
You can also make it’s copy for a backup, but this program should not overwrite anything.
Run the program. First it will display disclaimer. Read the disclaimer and if you accept it press any button.
Then just leave for some time. If you see that for more than an hour screen is not changing, try to run it in a different directory.
For security reasons, the program will not overwrite the original files. The decrypted files with appear under the same name, but with a suffix “_decrypted“. Please take a look if they are valid and in case of any problems contact me.
CUSTOMIZING:
Supported files are defined in the headers directory and recognized by their extensions.
In order to be able to decrypt the file, some part of it (minimum 4 bytes at specified offset) must be known.
It is simple if the format have predefined headers.
To add a new type, you must know the length of the constant part of the header (accepted 4-16). Then, place a valid file sample into headers directory and rename it following the convention:
If you want to start from the offset 0:
[constant_length].[extension]
If you want to start from any defined offset:
[constant_length]_[offset].[extension]
Example: DOCX file have 8 bytes long header, so to add it’s support I added to headers a sample DOCX file with a name: 8.docx. (Read more about headers of various file types: http://www.garykessler.net/library/file_sigs.html)
Sometimes a file without headers still we can be recovered if we can predict part of it’s content.
For example C++ file starting from:
#include
can be defined as 8.cpp with above content inside.
Be careful: GARBAGE IN -> GARBAGE OUT!
Mistakes in defining headers will lead to corrupted results or inability to progress in decoding. However, your original files will not get overwritten, so you can experiment freely.
Samples
Product have been tested against several samples of the version of DMA-Locker (encrypting file content with prefix: !DMALOCK). For example:
Variant#1:
- 28b44669d6e7bc7ede7f5586a938b1cb (DMALOCK 43:41:90:35:25:13:61:92)
- 1ed826f30b7942823edee4f8c98be742 (DMALOCK 48:30:40:04:91:15:43:78)
- d88bc4e5f85667f4bd9be5aaa6e126c8 (DMALOCK 48:30:40:04:91:15:43:78)
If this application helped you (or not), please, leave some feedback. All the remarks are a precious help for my research!
Pingback: DMA Unlocker | hasherezade's 1001 nights
Pingback: Weekendowa Lektura 2016-02-20 – bierzcie i czytajcie | Zaufana Trzecia Strona
Really liking the work thanks! – A bit of feedback – When downloading the files dma.exe is stripped out as a virus. My attempts are kind of stopping there…
I know that this is probably because the exe is acting like a virus but in reverse and providing the tell tale signs of a virus.
How do I download it without kicking off my defences?
Thanks for the notice! I will take a look and try to fix it. Can you please send me an e-mail with more details, i.e. what is the AV that stopped you?
Great Work!!
Maria has helped us out after being hit by the DMA Locker with this software after thinking we had lost some files that were not backed up (they certainly are now), looking forward to the final release.
I have a question about DMA Unlocker …
Sure, feel free to ask. You can also send me an e-mail (hasherezade-at-gmail.com)
Great work! When DMA Lock 3.0 decryption will be available,please?
I always wish I could help, but not always it is possible. For now, I don’t see the way to crack version 3.0. If it will change I will let you know.
Hello , you have new information on the evolution of DMA version 3.0?
yes, you can read about the updates in my post for Malwarebytes: https://blog.malwarebytes.org/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/
do you think that in the future will be a tool to remove DMA 3.0? or do I delete files? or pay? Pleas HELP .. thx
I wos infected with DMA Lock 4.0 any chance to decrypt it?
Hi, unfortunately I don’t see any way to crack it. More about this version of DMA Locker I described in my post for Malwarebytes: https://blog.malwarebytes.org/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/
Hello! first of all thank you for all the work you have been doing to combat this issue.
I am infected with DMA Version 3 DMALOCK 81:20:40:60:33:68:61:70
Any update on the status of the decryptor ?
Any input would be greatly appreciated
Hi! Version 3.0 is not decryptable. However, keys are not unique per victim – so, it is possible to get files decrypted for free in case if someone has bought the key fitting to your set and made it available.
Regarding your key – I don’t have it, so I am not capable of helping you.
Would you have a key for:
DMA Version 3 DMALOCK 80:81:25:21:39:53:22:39
sorry, I don’t have. I have only those that are listed
hello – please let me know if you have the key for:
DMALOCK 15:65:65:58:62:20:49:29
If any one has DMALOCK 3.0 key I would truly appreciate it. My company was hit with it earlier this week and was only to salvage 80% of our clients.
please share your DMA Lock… I will let you know if I get the key that fits your set
Which one do you have?
those that are listed in this post
Need a key for 16:55:28:45:52:32:56: if anyone has it please.
We have the same encryption key, however we managed to recover most of our data, have you had any update on this ?
HI Andy, we have had the same key on our network, any luck getting it unlocked?
Need a key for 16:55:28:45:52:32:56: same as Andy.
need a key for 62:60:24:67:53:67:49:54
should i get the script / software related to DMA locker for education purpose??
Got hit with DMA Lock 3.0. My ID is 55:69:54:23:33:53:41:41 – If anyone has they key for this, I’d love a copy! ❤
New client hit. Looking for Key for ID 76:22:16:52:40:64:12:62
A client just got hit with ID DMALOCK 33:31:17:56:75:75:69:20. They ended up paying the ransom (10 BTC) so I have the key if it will help anyone.
Great, can you please send me the key (hasherezade @ gmail.com)? I will take care of redistributing it.
Did you ever get that key?
need a key for DMALOCK 10:51:15:65:53:18:20:33. will pay, big business hit.
sorry, I don’t have this key, but I will ask others about it.
i need a key for the same code? did you find? i will pay
How do I find out the ID numbers for DMALOCK 3.0?
Anyone have this key? 33:28:45:15:60:24:22:19
Need a key for !Locked!### 12:30:17:29:34:62:06:12
Hi,
please send me some samples of your encrypted files (my e-mail: hasherezade-at-gmail.com) and I will check if I can help you.
Does any have a key for 13:64:47:25:64:23:60:56
I am also needing to key for 13:64:47:25:64:23:60:56
Any luck finding a key? I have same DMALock Key 13:64:47:25:64:23:60:56. Thanks.
Please let me know if you have a key for this:
DMALOCK 31:74:71:30:36:43:72:21
Supposedly v3.0 — its been just over a year since its been found, are there any other ‘white hatters’ who have made any progress?
Thanks!
Hi,
unfortunately, if the attackers implemented cryptography properly (and in case of DMALocker3.0 it seems so), it is just not possible to break – no matter how much time passed from the release.
At the moment I don’t have the fitting key for you, but if I get I will let you know.
Anybody come across 10:74:24:52:39:72:33:63?
A law firm got their entire network share encrypted ID 51:71:68:70:25:22:16:22 . DMA Locker 3.0 any help would be appreciated. I understand it’s a far cry but it’s worth trying. I’m willing provide a reward for any help.
If anyone has key for DMALOCK 35:21:58:57:54:10:35:68 and can share it is greatly appreciated.
Does anyone have the key for DMALOCK 35:21:58:57:54:10:35:68 please
Anyone have a key for DMALOCK 48:74:32:29:74:69:65:47
I have the key for DMALOCKER 3.0 35:21:58:57:54:10:35:68
hi, if you got the key and will like to share with others, please drop me an e-mail. thanks!
whats your email?
hasherezade at gmail com
DMA Lock 10:74:24:52:39:72:33:63. This is file shares for a school. Would appreciate any help. Having problems finding patient zero…
Hi, I have a huge problem, a very bright spark “techie” came in and connected his flash drive to the server while disabling the A/V and infected the server, the ID on the server is 35:43:36:71:42:63:45:22, is there a decrypter on this ID yet?
I need a key for DMALOCK 57:75:33:59:67:23:62:73 if you get one. Thanks!
does anyone have a key then?
Also looking for a DMA 3.0 decryptor…thanks.
I’ve got DMALOCK 57:34:31:72:31:55:26:82 any chance you’ve got a key for that?
I’m looking for DMALOCK 3.0 Key – 18:48:45:12:14:61:59:63
Looking for Key for 56:64:80:55:78:65:78:47
Looking for a key for the same one if you happen to have come across this one.
DMALOCK 84:67:64:49:24:65:74:78
Hi Anyone have a decrypt key for this one ?
A friend has DMALOCK 78:62:57:74:54:22:73:47
Anyone seen that one anywhere?
Thanks
Let me know if you get one. Just got infected with this
Will do. Please do the same if you stumble upon the key as well.
What was your ransom?
7000
Yours?
The same.
Wow! It was $1500 for me in December. It looks like its always 3 BTC, but the exchange rate has really jumped!
I would have paid $500 just to get my files back, but I wouldn’t pay $1500 and I definitely won’t pay $7000.
Ours was £35000
Hi, anyone have the key for
DMALOCK 40:83:66:22:12:81:25:18
Thanks
Still waiting on a decryptor for 84:67:64:49:24:65:74:78. Anyone figure this one out? Any help would be great. Thank you.