DMA Unlocker

[UPDATE]
WARNING: This tool doesn’t work for the DMA Locker 3.0 (discovered 22-th Feb 2016) and above.

However, in case of DMA Locker 3.0 keys are NOT unique per victim – it means, if someone else bought a key with the same DMALOCK like the one you have, you can reuse his key to decrypt your data for free.

List of DMALOCKS for which I have the keys:

DMALOCK 40:81:32:43:44:56:12:16 <- NEW
DMALOCK 67:81:52:65:25:74:36:27 <- NEW
DMALOCK 69:82:39:62:30:32:63:53 <- NEW
DMALOCK 71:37:14:49:39:38:52:28
DMALOCK 38:34:69:41:46:73:32:55
DMALOCK 40:12:16:43:65:40:70:17
DMALOCK 96:12:91:61:74:52:13:23

If you need any of them – or want me to redistribute your key to other victims, feel free to contact me.

Please contact me also in case if your encrypted files has one of the following prefixes:

• !XPTLOCK5.0
• !Locked#2.0
• !Locked!###
• !Encrypt!##

Example of the file beginning:

In some cases the help is possible!

---

Below, you can find the sourcecode and all the information about my old tool: DMA Unlocker (for DMA Locker 2.0). Mind the fact that this tool is obsolete an does not work for the current version of the malware. This information is available just as a case-study for other researchers.

source code (C++): https://github.com/hasherezade/decryptors_archive/tree/master/dma_unlocker

---

I managed to crack some of the variants of DMA Locker 2.0 ransomware (version with RSA key), described [here].

For those who are hit by this version, here is an experimental decryptor for it.

Sample hexdump of an encrypted file

DOWNLOAD

DMA Locker has been released in several variants – some are decryptable and others (starting from version 3.0) are not. Here you can find decryptors for the versions that I cracked.

Version of decryptors: 0.0.7.1 Tested on Windows 7 32/64 bit

• DMA Locker Variant#1  (from 8-th Feb) – most common type :
  • [download decryptor] (DMA.exe md5=9cab5ad02b2b158e7fecf13f9f3f3626)
  • sample locks:
    • DMALOCK 43:41:90:35:25:13:61:92
    • DMALOCK 48:30:40:04:91:15:43:78
• DMA Locker Variant#2 (form 15-th Feb)
  • [download decryptor] (DMA.exe md5=a46a0f5bb6ed5e944c06071fed640550)
  • sample locks:
    • DMALOCK 49:01:51:78:91:63:36:84
    • DMALOCK 41:11:11:84:32:13:64:68

NOTICE: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will unlock or decrypt your files. This tool should not be considered an official solution to the DMA Locker problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.

DMA Unlocker is a command line tool. That’s how it looks in action

See how it works on demo files *

• For Variant #1
  • Demo set #1
  • Demo set #2
• For Variant #2
  • Demo set #1

*Decryption process is sensitive for files’s timestamps. Please don’t overwrite them. Unpack the demo sets by 7zip

Read also the thread on Twitter: https://twitter.com/hasherezade/status/700304598205120512

WARNING:

This is an experimental version of DMA Unlocker. It has been tested with several customers and helped to recover many of their files.
However, it is not the final version, so sometimes it may not work.
Also, it’s performence is not yet optimized so it needs patience at the beginning of running (may take up to few hours).
In case of any problems, please contact me: hasherezade@gmail.com

HOW TO USE:

Please unpack this ZIP to the directory that you want to decrypt. Alternatively, you can deploy it from a commandline with a path to the infected directory as a parameter, i.e:

DMA.exe "C:\Users\tester\Documents\Demo_files"

It must be an original directory, not a copy.
You can also make it’s copy for a backup, but this program should not overwrite anything.

Run the program. First it will display disclaimer. Read the disclaimer and if you accept it press any button.
Then just leave for some time. If you see that for more than an hour screen is not changing, try to run it in a different directory.
For security reasons, the program will not overwrite the original files. The decrypted files with appear under the same name, but with a suffix “_decrypted“. Please take a look if they are valid and in case of any problems contact me.

CUSTOMIZING:

Supported files are defined in the headers directory and recognized by their extensions.

In order to be able to decrypt the file, some part of it (minimum 4 bytes at specified offset) must be known.

It is simple if the format have predefined headers.
To add a new type, you must know the length of the constant part of the header (accepted 4-16). Then, place a valid file sample into headers directory and rename it following the convention:

If you want to start from the offset 0:

[constant_length].[extension]

If you want to start from any defined offset:

[constant_length]_[offset].[extension]

Example: DOCX file have 8 bytes long header, so to add it’s support I added to headers a sample DOCX file with a name: 8.docx. (Read more about headers of various file types: http://www.garykessler.net/library/file_sigs.html)

Sometimes a file without headers still we can be recovered if we can predict part of it’s content.

For example C++ file starting from:

#include

can be defined as 8.cpp with above content inside.

Be careful: GARBAGE IN -> GARBAGE OUT!

Mistakes in defining headers will lead to corrupted results or inability to progress in decoding. However, your original files will not get overwritten, so you can experiment freely.

Samples

Product have been tested against several samples of the version of DMA-Locker  (encrypting file content with prefix: !DMALOCK).  For example:

Variant#1:

• 28b44669d6e7bc7ede7f5586a938b1cb (DMALOCK 43:41:90:35:25:13:61:92)
• 1ed826f30b7942823edee4f8c98be742 (DMALOCK 48:30:40:04:91:15:43:78)
• d88bc4e5f85667f4bd9be5aaa6e126c8 (DMALOCK 48:30:40:04:91:15:43:78)

If this application helped you (or not), please, leave some feedback. All the remarks are a precious help for my research!