DMA Unlocker

[UPDATE]
WARNING: This tool doesn’t work for the DMA Locker 3.0 (discovered 22-th Feb 2016) and above.

3

However, in case of DMA Locker 3.0 keys are NOT unique per victim – it means, if someone else bought a key with the same DMALOCK like the one you have, you can reuse his key to decrypt your data for free.

List of DMALOCKS for which I have the keys:

DMALOCK 40:81:32:43:44:56:12:16 <- NEW
DMALOCK 67:81:52:65:25:74:36:27 <- NEW
DMALOCK 69:82:39:62:30:32:63:53 <- NEW
DMALOCK 71:37:14:49:39:38:52:28
DMALOCK 38:34:69:41:46:73:32:55
DMALOCK 40:12:16:43:65:40:70:17
DMALOCK 96:12:91:61:74:52:13:23

If you need any of them – or want me to redistribute your key to other victims, feel free to contact me.

Please contact me also in case if your encrypted files has one of the following prefixes:

Example of the file beginning:

xpt

In some cases the help is possible!


Below, you can find the sourcecode and all the information about my old tool: DMA Unlocker (for DMA Locker 2.0). Mind the fact that this tool is obsolete an does not work for the current version of the malware. This information is available just as a case-study for other researchers.

source code (C++): https://github.com/hasherezade/decryptors_archive/tree/master/dma_unlocker


I managed to crack some of the variants of DMA Locker 2.0 ransomware (version with RSA key), described [here].

For those who are hit by this version, here is an experimental decryptor for it.

dma_prefix

Sample hexdump of an encrypted file

DOWNLOAD

DMA Locker has been released in several variants – some are decryptable and others (starting from version 3.0) are not. Here you can find decryptors for the versions that I cracked.

Version of decryptors: 0.0.7.1 Tested on Windows 7 32/64 bit

NOTICE: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will unlock or decrypt your files. This tool should not be considered an official solution to the DMA Locker problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.

demo1

DMA Unlocker is a command line tool. That’s how it looks in action

See how it works on demo files *

*Decryption process is sensitive for files’s timestamps. Please don’t overwrite them. Unpack the demo sets by 7zip

Read also the thread on Twitter: https://twitter.com/hasherezade/status/700304598205120512

WARNING:

This is an experimental version of DMA Unlocker. It has been tested with several customers and helped to recover many of their files.
However, it is not the final version, so sometimes it may not work.
Also, it’s performence is not yet optimized so it needs patience at the beginning of running (may take up to few hours).
In case of any problems, please contact me: hasherezade@gmail.com

HOW TO USE:

Please unpack this ZIP to the directory that you want to decrypt. Alternatively, you can deploy it from a commandline with a path to the infected directory as a parameter, i.e:

DMA.exe "C:\Users\tester\Documents\Demo_files"

It must be an original directory, not a copy.
You can also make it’s copy for a backup, but this program should not overwrite anything.

Run the program. First it will display disclaimer. Read the disclaimer and if you accept it press any button.
Then just leave for some time. If you see that for more than an hour screen is not changing, try to run it in a different directory.
For security reasons, the program will not overwrite the original files. The decrypted files with appear under the same name, but with a suffix “_decrypted“. Please take a look if they are valid and in case of any problems contact me.

CUSTOMIZING:

Supported files are defined in the headers directory and recognized by their extensions.

In order to be able to decrypt the file, some part of it (minimum 4 bytes at specified offset) must be known.

It is simple if the format have predefined headers.
To add a new type, you must know the length of the constant part of the header (accepted 4-16). Then, place a valid file sample into headers directory and rename it following the convention:

If you want to start from the offset 0:

[constant_length].[extension]

If you want to start from any defined offset:

[constant_length]_[offset].[extension]

Example: DOCX file have 8 bytes long header, so to add it’s support I added to headers a sample DOCX file with a name: 8.docx. (Read more about headers of various file types: http://www.garykessler.net/library/file_sigs.html)

Sometimes a file without headers still we can be recovered if we can predict part of it’s content.

For example C++ file starting from:

#include

can be defined as 8.cpp with above content inside.

Be careful: GARBAGE IN -> GARBAGE OUT!

Mistakes in defining headers will lead to corrupted results or inability to progress in decoding. However, your original files will not get overwritten, so you can experiment freely.

Samples

Product have been tested against several samples of the version of DMA-Locker  (encrypting file content with prefix: !DMALOCK).  For example:

Variant#1:

If this application helped you (or not), please, leave some feedback. All the remarks are a precious help for my research!

Advertisements

75 Responses to DMA Unlocker

  1. Pingback: DMA Unlocker | hasherezade's 1001 nights

  2. Pingback: Weekendowa Lektura 2016-02-20 – bierzcie i czytajcie | Zaufana Trzecia Strona

  3. Necker says:

    Really liking the work thanks! – A bit of feedback – When downloading the files dma.exe is stripped out as a virus. My attempts are kind of stopping there…
    I know that this is probably because the exe is acting like a virus but in reverse and providing the tell tale signs of a virus.
    How do I download it without kicking off my defences?

  4. John H says:

    Great Work!!
    Maria has helped us out after being hit by the DMA Locker with this software after thinking we had lost some files that were not backed up (they certainly are now), looking forward to the final release.

  5. João Rodríguez says:

    I have a question about DMA Unlocker …

  6. Miro says:

    Great work! When DMA Lock 3.0 decryption will be available,please?

  7. Snef says:

    I wos infected with DMA Lock 4.0 any chance to decrypt it?

  8. Dare Fikri says:

    Hello! first of all thank you for all the work you have been doing to combat this issue.

    I am infected with DMA Version 3 DMALOCK 81:20:40:60:33:68:61:70

    Any update on the status of the decryptor ?

    Any input would be greatly appreciated

    • hasherezade says:

      Hi! Version 3.0 is not decryptable. However, keys are not unique per victim – so, it is possible to get files decrypted for free in case if someone has bought the key fitting to your set and made it available.
      Regarding your key – I don’t have it, so I am not capable of helping you.

  9. Bruce says:

    Would you have a key for:

    DMA Version 3 DMALOCK 80:81:25:21:39:53:22:39

  10. Matt says:

    hello – please let me know if you have the key for:

    DMALOCK 15:65:65:58:62:20:49:29

  11. Rob says:

    If any one has DMALOCK 3.0 key I would truly appreciate it. My company was hit with it earlier this week and was only to salvage 80% of our clients.

  12. Matt says:

    Which one do you have?

  13. andy says:

    Need a key for 16:55:28:45:52:32:56: if anyone has it please.

  14. JMP says:

    Need a key for 16:55:28:45:52:32:56: same as Andy.

  15. Osman Cenk TERZİOGLU says:

    need a key for 62:60:24:67:53:67:49:54

  16. shashi patel says:

    should i get the script / software related to DMA locker for education purpose??

  17. Rachel says:

    Got hit with DMA Lock 3.0. My ID is 55:69:54:23:33:53:41:41 – If anyone has they key for this, I’d love a copy! ❤

  18. John says:

    New client hit. Looking for Key for ID 76:22:16:52:40:64:12:62

  19. Brandon says:

    A client just got hit with ID DMALOCK 33:31:17:56:75:75:69:20. They ended up paying the ransom (10 BTC) so I have the key if it will help anyone.

  20. mike says:

    need a key for DMALOCK 10:51:15:65:53:18:20:33. will pay, big business hit.

  21. David says:

    How do I find out the ID numbers for DMALOCK 3.0?

  22. David says:

    Anyone have this key? 33:28:45:15:60:24:22:19

  23. Andy says:

    Need a key for !Locked!### 12:30:17:29:34:62:06:12

  24. Al says:

    Does any have a key for 13:64:47:25:64:23:60:56

  25. Gary Murray says:

    Please let me know if you have a key for this:
    DMALOCK 31:74:71:30:36:43:72:21
    Supposedly v3.0 — its been just over a year since its been found, are there any other ‘white hatters’ who have made any progress?
    Thanks!

    • hasherezade says:

      Hi,
      unfortunately, if the attackers implemented cryptography properly (and in case of DMALocker3.0 it seems so), it is just not possible to break – no matter how much time passed from the release.
      At the moment I don’t have the fitting key for you, but if I get I will let you know.

  26. Rod Fernandez says:

    Anybody come across 10:74:24:52:39:72:33:63?

  27. jay IT says:

    A law firm got their entire network share encrypted ID 51:71:68:70:25:22:16:22 . DMA Locker 3.0 any help would be appreciated. I understand it’s a far cry but it’s worth trying. I’m willing provide a reward for any help.

  28. Adam Pilat says:

    If anyone has key for DMALOCK 35:21:58:57:54:10:35:68 and can share it is greatly appreciated.

  29. steve says:

    Does anyone have the key for DMALOCK 35:21:58:57:54:10:35:68 please

  30. Bruce Bock says:

    Anyone have a key for DMALOCK 48:74:32:29:74:69:65:47

  31. Steve says:

    I have the key for DMALOCKER 3.0 35:21:58:57:54:10:35:68

  32. Eric Shrum says:

    DMA Lock 10:74:24:52:39:72:33:63. This is file shares for a school. Would appreciate any help. Having problems finding patient zero…

  33. Leon Davies - really desperate as it has encrypted pastel accounts and HR & Payrolld says:

    Hi, I have a huge problem, a very bright spark “techie” came in and connected his flash drive to the server while disabling the A/V and infected the server, the ID on the server is 35:43:36:71:42:63:45:22, is there a decrypter on this ID yet?

  34. David Hoose says:

    I need a key for DMALOCK 57:75:33:59:67:23:62:73 if you get one. Thanks!

  35. mike says:

    does anyone have a key then?

  36. Trig says:

    Also looking for a DMA 3.0 decryptor…thanks.

  37. Andrew says:

    I’ve got DMALOCK 57:34:31:72:31:55:26:82 any chance you’ve got a key for that?

  38. Sam says:

    I’m looking for DMALOCK 3.0 Key – 18:48:45:12:14:61:59:63

  39. SlapstixXx says:

    Looking for Key for 56:64:80:55:78:65:78:47

  40. John says:

    DMALOCK 84:67:64:49:24:65:74:78

    Hi Anyone have a decrypt key for this one ?

  41. Mathialoc says:

    A friend has DMALOCK 78:62:57:74:54:22:73:47
    Anyone seen that one anywhere?
    Thanks

  42. threeeye says:

    Hi, anyone have the key for
    DMALOCK 40:83:66:22:12:81:25:18
    Thanks

  43. JW says:

    Still waiting on a decryptor for 84:67:64:49:24:65:74:78. Anyone figure this one out? Any help would be great. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s