A very experienced malware researcher, going by the nickname hasherezade (@hasherezade) has released decryption instructions for the victims of DMA Locker ransomware. The 3rd variant of this ransomware virus has been first detected back in May, and when it was released, it had even stronger encryption than it’s predecessors. The virus demands 4 BTC in ransom payment after it encrypts the files of the infected computer, denying all access to them by the user.
DMA Locker 3.0 Ransomware – Quick Background
The previous versions of the DMA Locker virus had multiple flaws which made the enciphered files easily decryptable. This pushed the malware writers behind it to develop a more sophisticated version of the virus, named DMA Locker 3.0.
This ransomware is particularly interesting primarily because it ais primarily to check for several key Windows processes such as ShadowExplorer.exe, sesvc.exe, cbengine.exe and rstrui.exe all connected with Windows backups.
After it has infected a given system, the DMA Locker virus causes a direct blue screen of death and after the computer is restarted the virus displays a system error and automatically runs It’s malicious executable which encrypts the files and displays it’s distinctive ransom note:
Fortunately, now there is a decryption possibility for some DMALOCKS. So if your DMALOCK is not one of the ones below, you should wait for an update in this article, because at this point only three series of DMA Locker 3.0 are supported. Here are the supported DMALOCKS for which these instructions should work:
DMALocker 3.0 Decryption Instructions
Before we begin the decryption process, it is strongly recommended to follow these instructions.
After these are kept, we can continue with the decryption instructions. To decrypt the files for a particular DMA Locker key, it is important to know what you will be doing, first. The brave malware researcher who reported these variants are decryptable, @hasherezade has come up with a modified variant of DMA Locker which also causes an infection on your computer so be prepared because your PC may restart and have a BSOD as a result of executing these files. This is why we are not responsible if you haven’t followed our instructions in the red box above.
Here is how to decrypt files encrypted by the above-mentioned DMALOCKS:
Step 1: Click on the following web link and download the DMALOCKS.zip file corresponding to your infection by clicking on the download icon which will appear on the top left corner when you hover with your mouse above it:
Save the file somewhere where you can easily find it and open it. For you to open it, you will need a program such as WinRar which can be found for free online at rarlab.com.
Step 2: Extract the archive in the %Program Data% folder. You can find the folder in different locations, depending on your Windows version:
C:\Users\All Users (The new program data has the name “All Users”)
You should extract the DMALOCKS folder into this folder, just as described in the picture below:
It will ask for a password upon extraction. The password is “infected”.
Step 3: After this has been performed, you should run the svchosd.exe file as an administrator by right-clicking it:
Step 4: Then, bear in mind that after the executable runs, your computer may cause a BSOD and restart after which display an error message and the files will be encrypted. Nevertheless, it will also display the DMA Locker’s so-called “user interface” screen. There you should see an “Open” button. Simply press it and navigate yourself to the DMALOCKS folder to open the dma_private.key button.
After you have done this click on the “UNLOCK” button under the “OPEN” button and the decryptor will automatically begin to decrypt your files, as shown from the photo below:
The malware researcher also advises affected users to perform the same activity on each enciphered machine if the machines are a part of a workstation group.
DMA Locker 3.0 Decryption – Summary
Those who were able to get their files decrypted by these variants of DMA Locker are in luck because there are much more out there who cannot decrypt their data. Still, we at SensorsTechForum will keep track on latest developments involving DMA Locker and decryption possibilities. In the meantime, recommendations are to follow several simple tips to keep yourself protected in the future and avoid ransomware devastators such as DMA Locker 3.0.
1. Follow these general protection tips.
2. Download an advanced malware protection program.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
3. Download a relevant ransomware protection program.
4. Download a relevant cloud backup program that backups copies of your files on a secure server and even if your computer is affected you will stay protected.