Decrypt Files Encrypted by DMA Locker 3.0 Ransomware - How to, Technology and PC Security Forum |

Decrypt Files Encrypted by DMA Locker 3.0 Ransomware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

dmalocker3-decryption-how-to-sensorstechforum-mainA very experienced malware researcher, going by the nickname hasherezade (@hasherezade) has released decryption instructions for the victims of DMA Locker ransomware. The 3rd variant of this ransomware virus has been first detected back in May, and when it was released, it had even stronger encryption than it’s predecessors. The virus demands 4 BTC in ransom payment after it encrypts the files of the infected computer, denying all access to them by the user.

DMA Locker 3.0 Ransomware – Quick Background

The previous versions of the DMA Locker virus had multiple flaws which made the enciphered files easily decryptable. This pushed the malware writers behind it to develop a more sophisticated version of the virus, named DMA Locker 3.0.

This ransomware is particularly interesting primarily because it ais primarily to check for several key Windows processes such as ShadowExplorer.exe, sesvc.exe, cbengine.exe and rstrui.exe all connected with Windows backups.

After it has infected a given system, the DMA Locker virus causes a direct blue screen of death and after the computer is restarted the virus displays a system error and automatically runs It’s malicious executable which encrypts the files and displays it’s distinctive ransom note:


Fortunately, now there is a decryption possibility for some DMALOCKS. So if your DMALOCK is not one of the ones below, you should wait for an update in this article, because at this point only three series of DMA Locker 3.0 are supported. Here are the supported DMALOCKS for which these instructions should work:

DMALOCK 38:34:69:41:46:73:32:55
DMALOCK 51:34:11:63:80:61:23:19
DMALOCK 40:12:16:43:65:40:70:17

DMALocker 3.0 Decryption Instructions

Before we begin the decryption process, it is strongly recommended to follow these instructions.

1. Make more than one backup of the encrypted files.
2. Create a recovery dump of Windows just in case it crashes so you can restore it easily.
3. Do not insert any flash drives with important information on the infected computer since they may get encrypted as well.
4. Realize that you are doing this at your risk!

After these are kept, we can continue with the decryption instructions. To decrypt the files for a particular DMA Locker key, it is important to know what you will be doing, first. The brave malware researcher who reported these variants are decryptable, @hasherezade has come up with a modified variant of DMA Locker which also causes an infection on your computer so be prepared because your PC may restart and have a BSOD as a result of executing these files. This is why we are not responsible if you haven’t followed our instructions in the red box above.

Here is how to decrypt files encrypted by the above-mentioned DMALOCKS:

Step 1: Click on the following web link and download the file corresponding to your infection by clicking on the download icon which will appear on the top left corner when you hover with your mouse above it:


Save the file somewhere where you can easily find it and open it. For you to open it, you will need a program such as WinRar which can be found for free online at

Step 2: Extract the archive in the %Program Data% folder. You can find the folder in different locations, depending on your Windows version:


→C:\Program Data
C:\Users\All Users (The new program data has the name “All Users”)

You should extract the DMALOCKS folder into this folder, just as described in the picture below:


It will ask for a password upon extraction. The password is “infected”.


Step 3: After this has been performed, you should run the svchosd.exe file as an administrator by right-clicking it:


Step 4: Then, bear in mind that after the executable runs, your computer may cause a BSOD and restart after which display an error message and the files will be encrypted. Nevertheless, it will also display the DMA Locker’s so-called “user interface” screen. There you should see an “Open” button. Simply press it and navigate yourself to the DMALOCKS folder to open the dma_private.key button.


After you have done this click on the “UNLOCK” button under the “OPEN” button and the decryptor will automatically begin to decrypt your files, as shown from the photo below:


The malware researcher also advises affected users to perform the same activity on each enciphered machine if the machines are a part of a workstation group.

DMA Locker 3.0 Decryption – Summary

Those who were able to get their files decrypted by these variants of DMA Locker are in luck because there are much more out there who cannot decrypt their data. Still, we at SensorsTechForum will keep track on latest developments involving DMA Locker and decryption possibilities. In the meantime, recommendations are to follow several simple tips to keep yourself protected in the future and avoid ransomware devastators such as DMA Locker 3.0.

1. Follow these general protection tips.
2. Download an advanced malware protection program.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

3. Download a relevant ransomware protection program.
4. Download a relevant cloud backup program that backups copies of your files on a secure server and even if your computer is affected you will stay protected.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:


  1. AvatarChristopher Klopstra

    I have another variant, DMALOCK 70:66:83:50:68:23:73:25. I have all 3 versions you have on a test file but they don’t work. What can I do to help so we can get this 70:x version unlocked as well?

  2. Avatarvali


  3. Avatarvali

    I am effected with “DMALOCK 26:83:45:78:78:69:70:76” please help us in decrypting
    my mail ID:

  4. AvatarVencislav Krustev

    To all who have been infected with DMA Locker. Bear in mind that these instructions are only for those 3 DMA locks. If you want to look for decryptors for your DMA Locks, make sure to follow malware researchers involved witht his virus, such as @hasherezade on Twitter, for example. Furthermore, you can also try alternative tools tor restore your files, like using data recovery software, for example.

    Best Regards,

  5. Avatarshiv choudhary

    i am infexted with “DMALOCK 31:74:71:30:36:43:72:21” please help us in decrypting the data My mail ID is

  6. AvatarJeff Pearson

    Has anyone been able to create a decryption tool for 84:67:64:49:24:65:74:78 email is Looks like they placed the encryption code in the cryptinfo.txt file of: 17c41iFaMBrUPyZZvexainuVuZi3cM15vj Thanks

  7. AvatarWill Wilson

    I am thinking it consistently changes, maybe based on systems we are connecting to… I just got hit at an office I work for with key 47:81:81:27:58:15:19:84
    We had maybe 60% of our stuff backed up, which isn’t good numbers considering some of the items missing.

    Any help with these?

  8. AvatarWayne Petrea

    Has any thing changed since this article was written about DMA Locker 3.0/4.0 concerning decryption?


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share