DMA Unlocker

[UPDATE]
WARNING: This tool doesn’t work for the DMA Locker 3.0 (discovered 22-th Feb 2016) and above.

3

However, in case of DMA Locker 3.0 keys are NOT unique per victim – it means, if someone else bought a key with the same DMALOCK like the one you have, you can reuse his key to decrypt your data for free.

List of DMALOCKS for which I have the keys:

DMALOCK 38:34:69:41:46:73:32:55
DMALOCK 51:34:11:63:80:61:23:19
DMALOCK 40:12:16:43:65:40:70:17
DMALOCK 96:12:91:61:74:52:13:23

If you need any of them – or want me to redistribute your key to other victims, feel free to contact me.

Please contact me also in case if your encrypted files has one of the following prefixes:

Example of the file beginning:

xpt

In some cases the help is possible!


Below, you can find the sourcecode and all the information about my old tool: DMA Unlocker (for DMA Locker 2.0). Mind the fact that this tool is obsolete an does not work for the current version of the malware. This information is available just as a case-study for other researchers.

source code (C++): https://github.com/hasherezade/decryptors_archive/tree/master/dma_unlocker


I managed to crack some of the variants of DMA Locker 2.0 ransomware (version with RSA key), described [here]. (My research is possible thanks to Malwarebytes).

For those who are hit by this version, here is an experimental decryptor for it.

dma_prefix

Sample hexdump of an encrypted file

DOWNLOAD

DMA Locker has been released in several variants – some are decryptable and others (starting from version 3.0) are not. Here you can find decryptors for the versions that I cracked.

Version of decryptors: 0.0.7.1 Tested on Windows 7 32/64 bit

NOTICE: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will unlock or decrypt your files. This tool should not be considered an official solution to the DMA Locker problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.

demo1

DMA Unlocker is a command line tool. That’s how it looks in action

See how it works on demo files *

*Decryption process is sensitive for files’s timestamps. Please don’t overwrite them. Unpack the demo sets by 7zip

Read also the thread on Twitter: https://twitter.com/hasherezade/status/700304598205120512

WARNING:

This is an experimental version of DMA Unlocker. It has been tested with several customers and helped to recover many of their files.
However, it is not the final version, so sometimes it may not work.
Also, it’s performence is not yet optimized so it needs patience at the beginning of running (may take up to few hours).
In case of any problems, please contact me: hasherezade@gmail.com

HOW TO USE:

Please unpack this ZIP to the directory that you want to decrypt. Alternatively, you can deploy it from a commandline with a path to the infected directory as a parameter, i.e:

DMA.exe "C:\Users\tester\Documents\Demo_files"

It must be an original directory, not a copy.
You can also make it’s copy for a backup, but this program should not overwrite anything.

Run the program. First it will display disclaimer. Read the disclaimer and if you accept it press any button.
Then just leave for some time. If you see that for more than an hour screen is not changing, try to run it in a different directory.
For security reasons, the program will not overwrite the original files. The decrypted files with appear under the same name, but with a suffix “_decrypted“. Please take a look if they are valid and in case of any problems contact me.

CUSTOMIZING:

Supported files are defined in the headers directory and recognized by their extensions.

In order to be able to decrypt the file, some part of it (minimum 4 bytes at specified offset) must be known.

It is simple if the format have predefined headers.
To add a new type, you must know the length of the constant part of the header (accepted 4-16). Then, place a valid file sample into headers directory and rename it following the convention:

If you want to start from the offset 0:

[constant_length].[extension]

If you want to start from any defined offset:

[constant_length]_[offset].[extension]

Example: DOCX file have 8 bytes long header, so to add it’s support I added to headers a sample DOCX file with a name: 8.docx. (Read more about headers of various file types: http://www.garykessler.net/library/file_sigs.html)

Sometimes a file without headers still we can be recovered if we can predict part of it’s content.

For example C++ file starting from:

#include

can be defined as 8.cpp with above content inside.

Be careful: GARBAGE IN -> GARBAGE OUT!

Mistakes in defining headers will lead to corrupted results or inability to progress in decoding. However, your original files will not get overwritten, so you can experiment freely.

Samples

Product have been tested against several samples of the version of DMA-Locker  (encrypting file content with prefix: !DMALOCK).  For example:

Variant#1:

If this application helped you (or not), please, leave some feedback. All the remarks are a precious help for my research!

27 Responses to DMA Unlocker

  1. Pingback: DMA Unlocker | hasherezade's 1001 nights

  2. Pingback: Weekendowa Lektura 2016-02-20 – bierzcie i czytajcie | Zaufana Trzecia Strona

  3. Necker says:

    Really liking the work thanks! – A bit of feedback – When downloading the files dma.exe is stripped out as a virus. My attempts are kind of stopping there…
    I know that this is probably because the exe is acting like a virus but in reverse and providing the tell tale signs of a virus.
    How do I download it without kicking off my defences?

  4. John H says:

    Great Work!!
    Maria has helped us out after being hit by the DMA Locker with this software after thinking we had lost some files that were not backed up (they certainly are now), looking forward to the final release.

  5. João Rodríguez says:

    I have a question about DMA Unlocker …

  6. Miro says:

    Great work! When DMA Lock 3.0 decryption will be available,please?

  7. Snef says:

    I wos infected with DMA Lock 4.0 any chance to decrypt it?

  8. Dare Fikri says:

    Hello! first of all thank you for all the work you have been doing to combat this issue.

    I am infected with DMA Version 3 DMALOCK 81:20:40:60:33:68:61:70

    Any update on the status of the decryptor ?

    Any input would be greatly appreciated

    • hasherezade says:

      Hi! Version 3.0 is not decryptable. However, keys are not unique per victim – so, it is possible to get files decrypted for free in case if someone has bought the key fitting to your set and made it available.
      Regarding your key – I don’t have it, so I am not capable of helping you.

  9. Bruce says:

    Would you have a key for:

    DMA Version 3 DMALOCK 80:81:25:21:39:53:22:39

  10. Matt says:

    hello – please let me know if you have the key for:

    DMALOCK 15:65:65:58:62:20:49:29

  11. Rob says:

    If any one has DMALOCK 3.0 key I would truly appreciate it. My company was hit with it earlier this week and was only to salvage 80% of our clients.

  12. Matt says:

    Which one do you have?

  13. andy says:

    Need a key for 16:55:28:45:52:32:56: if anyone has it please.

  14. JMP says:

    Need a key for 16:55:28:45:52:32:56: same as Andy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s