Decryption

[pbjnr]

Are there any decryption tools available for DMA Locker 3.0 ?

[Aura]

Hi pbjnr

According to the latest update on Malwarebytes' DMA Locker article, v3.0 of the Ransomware fixed the bug in their encryption process, which means the decrypter they released no longer works for files encrypted with this version.

https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/

[sman]

Check in http://www.thewindowsclub.com/list-ransomware-decryptor-tools 

it seems this ransomware has evolved to make decryption impossible as per http://www.2-spyware.com/remove-dma-locker-3-0-ransomware-virus.html

also check in https://www.bleepingcomputer.com/forums/t/604873/dma-locker-ransomware-support-and-help-topic/ were Dave99uk says about a solution.. and some forum help..

[Aura]

I wouldn't list anything coming from an ESG affiliate website (2-spyware.com), sman.

Also, see this tweet:

 

[sman]

Is it Enigmasoftware (ESG)?..

[Aura]

Yes, ESG stands for Enigma Software Group USA LLC.

[sman]

Ok.. but the site (2-spyware.com) has no reference to ESG.. and not reported for any malicious content too.. so pretty unkniwn and on outlook appears safe enough..

and how to get the DMALOCKS? https://sensorstechforum.com/decrypt-files-encrypted-dma-locker-3-0-ransomware/ also refers to those 3 DMALOCKS as in that tweet.., but how to check the DMALOCKS?

 

[Aura]

Looks like 2-spyware changed their affiliation from ESG to Reimage. Anyway, in both cases, this website isn't as reliable as you would think, so I would take everything coming from it with a grain of salt.

SensorTechForum seems to be an ESG affiliate though.

Anyway, we're going off-topic.

 

[sman]

Ok.. but what about DMALOCKS? How to know it?

[Aura]

It should be listed in the ransom note that DMA Locker drops.

[sman]

I doubt if it will it be so obvious / revealing by the hacker?..

[sman]

and where would that be in the note? ie. where to look for?

[Aura]

Google is your friend

https://www.bleepingcomputer.com/news/security/dma-locker-ransomware-targets-unmapped-network-shares/

[sman]

so one has to check the file header, but if they are evolving, even this header logic also would have variation/evolved.. so no guarantee that the infection would be obvious (yes, ransom note, apart, to get to the victim)..

[sman]

and if files are encrypted/locked, probably the drive has to be checked externally only (as an external drive, probably)..