Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Decrypt Files Encrypted by DMA Locker 3.0 Ransomware

dmalocker3-decryption-how-to-sensorstechforum-mainA very experienced malware researcher, going by the nickname hasherezade (@hasherezade) has released decryption instructions for the victims of DMA Locker ransomware. The 3rd variant of this ransomware virus has been first detected back in May, and when it was released, it had even stronger encryption than it’s predecessors. The virus demands 4 BTC in ransom payment after it encrypts the files of the infected computer, denying all access to them by the user.

DMA Locker 3.0 Ransomware – Quick Background

The previous versions of the DMA Locker virus had multiple flaws which made the enciphered files easily decryptable. This pushed the malware writers behind it to develop a more sophisticated version of the virus, named DMA Locker 3.0.

This ransomware is particularly interesting primarily because it ais primarily to check for several key Windows processes such as ShadowExplorer.exe, sesvc.exe, cbengine.exe and rstrui.exe all connected with Windows backups.

After it has infected a given system, the DMA Locker virus causes a direct blue screen of death and after the computer is restarted the virus displays a system error and automatically runs It’s malicious executable which encrypts the files and displays it’s distinctive ransom note:


Fortunately, now there is a decryption possibility for some DMALOCKS. So if your DMALOCK is not one of the ones below, you should wait for an update in this article, because at this point only three series of DMA Locker 3.0 are supported. Here are the supported DMALOCKS for which these instructions should work:

DMALOCK 38:34:69:41:46:73:32:55
DMALOCK 51:34:11:63:80:61:23:19
DMALOCK 40:12:16:43:65:40:70:17

DMALocker 3.0 Decryption Instructions

Before we begin the decryption process, it is strongly recommended to follow these instructions.

1. Make more than one backup of the encrypted files.
2. Create a recovery dump of Windows just in case it crashes so you can restore it easily.
3. Do not insert any flash drives with important information on the infected computer since they may get encrypted as well.
4. Realize that you are doing this at your risk!

After these are kept, we can continue with the decryption instructions. To decrypt the files for a particular DMA Locker key, it is important to know what you will be doing, first. The brave malware researcher who reported these variants are decryptable, @hasherezade has come up with a modified variant of DMA Locker which also causes an infection on your computer so be prepared because your PC may restart and have a BSOD as a result of executing these files. This is why we are not responsible if you haven’t followed our instructions in the red box above.

Here is how to decrypt files encrypted by the above-mentioned DMALOCKS:

Step 1: Click on the following web link and download the DMALOCKS.zip file corresponding to your infection by clicking on the download icon which will appear on the top left corner when you hover with your mouse above it:


Save the file somewhere where you can easily find it and open it. For you to open it, you will need a program such as WinRar which can be found for free online at rarlab.com.

Step 2: Extract the archive in the %Program Data% folder. You can find the folder in different locations, depending on your Windows version:


→C:\Program Data
C:\Users\All Users (The new program data has the name “All Users”)

You should extract the DMALOCKS folder into this folder, just as described in the picture below:


It will ask for a password upon extraction. The password is “infected”.


Step 3: After this has been performed, you should run the svchosd.exe file as an administrator by right-clicking it:


Step 4: Then, bear in mind that after the executable runs, your computer may cause a BSOD and restart after which display an error message and the files will be encrypted. Nevertheless, it will also display the DMA Locker’s so-called “user interface” screen. There you should see an “Open” button. Simply press it and navigate yourself to the DMALOCKS folder to open the dma_private.key button.


After you have done this click on the “UNLOCK” button under the “OPEN” button and the decryptor will automatically begin to decrypt your files, as shown from the photo below:


The malware researcher also advises affected users to perform the same activity on each enciphered machine if the machines are a part of a workstation group.

DMA Locker 3.0 Decryption – Summary

Those who were able to get their files decrypted by these variants of DMA Locker are in luck because there are much more out there who cannot decrypt their data. Still, we at SensorsTechForum will keep track on latest developments involving DMA Locker and decryption possibilities. In the meantime, recommendations are to follow several simple tips to keep yourself protected in the future and avoid ransomware devastators such as DMA Locker 3.0.

1. Follow these general protection tips.
2. Download an advanced malware protection program.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

3. Download a relevant ransomware protection program.
4. Download a relevant cloud backup program that backups copies of your files on a secure server and even if your computer is affected you will stay protected.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.