DMA Locker ransomware, brace yourself for a colossal attack.

DMA Locker ransomware first developed in january 2016. As for now it is not yet been widely spread, but thing are about to change. This computer scam called ransomware acts like any other infections of the malware family, just with a few small differences. Ransom message “Your personal files are encrypted” and than demands money. DMA Locker is a malicious software that locks you out of your files or computer and demands money to give back access. The files are encrypted by AES-256 in ECB mode. Locked files are decryptable if you have the original sample with key included. So far DMA Locker has been modified almost every month since its release.
DMA Locker ransomware

Once this ransom sets up, it moves to C:\ProgramData or C:\Documents and Settings\All Users\ Dokumenty\, behind the name fakturax.exe, also as a modified copy: ntserver.exe. After ransom appearance the fakturax.exe will be deleted. As mentioned above the virus will appear to victims with red message window pop-up. An example of the english is above also available in Polish for the current version. After file encryption users will find files without extensions, instead identifier is added into the header. Interesting feature that DMA Locker offers is decrypting feature built-in. Entering 32 characters supplied key the program switches to decryption mode. Not being very stable the program may collapse during encryption, which is not good news for victims. Consider purchasing anti-malware software to remove DMA locker ransomware and future protection.

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.

DMA Locker 2.0 and 3.0

This is an upgraded and more advanced version of the previous. Not long after DMA Locker 1.0 was developed, this ransomware release an upgrade in beginning february and another one in end fo the month. Previously DMA Locker was using simple way of storing keys. Recovering files was abel just with the original sample. Unfortunately, the upgraded version comes with few improvements. The descriptor for 1.0 no longer works. You can PREVENT from the previous version by createing the following files: no encryption will be deployed and only the red message will be displayed.

  • C:\Documents and Settings\All Users\decrypting.txt
  • C:\Documents and Settings\All Users\start.txt
  • C:\ProgramData\decrypting.txt
  • C:\ProgramData\start.txt

Note: this will only prevent users from encryption, however it will not work if files are already encrypted.

The ransom red window message is almost identical to the one before. The only difference between both is new locker image and the key for decryption have to be as RSA key file. The new name dropped into the above mentioned areas is svchosd.exe. Again no extension is presented and encrypted files can only be recognized by 8 byte long add !DMALOCK and !DMALOCK3.0 at the beginning of the content.

DMA Locker ransomware

DMA Locker 4.0

This is the latest version of DMA Locker and mey be the next big name in ransomware viruses. Discovered in 19th of May 2016, we can see that developers are constantly updating and improving. For now the nickname of the latest 3.0 and 4.0 version is the undecryptable. DMA Locker 1.0 and 2.0 use to operate offline, but now uses a C&C server, where victims can get the public RSA key. If user is not being online the virus will sit and wait utile the computer is connected. Once online DMA Locker 4.0 will run without any trace until file encryption is done. Once this ransom sets up, it moves to the same location C:\ProgramData like the earlier versions, but this time under the name svchosd.exe also with two additional files: select.bat and cryptinfo.txt. The cryptinfo.txt note comes with a much shorter content and a link for victims. The pop-up red window is similar to the known versions so far.

DMA Locker ransomware

Unlike most ransomware, which provide a Tor website, surprisingly DMA Locker uses a normal hosting also offering a decrypting test file. The website similarity presented and the fact that is not being fully functional may offer early signs of development. Furthermore the new DMA Locker use not one but two encryption algorithms (AES and RSA).

Now that you have been infected you have a few options:

Many suggest that you simply pay and hope that you will get all off your data back. However in this case you risk losing money and still being stuck with crypted files. We do not recommend this way simply because you will support the work of hackers and the more money thay get the stronger they will become.

The best option for you is if you have a backup, wipe your hard drive and perform system restore.

Use any type of anti malware software to remove DMA locker.

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.

New research discovery shows how ransomware deletes files and substitute encrypted copy of them. It is not guaranteed, but it is a possibility that you may recover your files with data recovery software. Before trying to decrypt any files you can scan your computer for posible data loss.

Go here to find out how to recover deleted files.

  • Name – DMA locker
  • Type Spamming – Malware, Ransomware, Trojan Horse
  • Danger Level – High
  • Brief Description – Encrypt files and demand ransom.
  • Symptoms – Poor pc performance or freezing, ransom massages.
  • Method – Via Trojan Horse or spam email.

How to remove “DMA locker ransomware”

Short guide:

  1. Login as administrator.
  2. Go to control panel and uninstall any suspicious software.
  3. Use any type of anti malware software to remove DMA locker.
  4. Decrypt DMA locker ransomware files.
  5. Delete all temporary files from disk cleanup.
  6. Restart your computer.

Note: Removing DMA locker ransomware manually could be very risky and unpredictable!

Step by step how to remove “DMA locker ransomware”

Manual steps to remove ransomware or malware. How to prevent ransomware or malware.

For now, removing ransomware or malware manually will only be able for IT specialists. If you don't know one don't worry. We have a solution for you. Over here we will use Spyhunter to remove the virus. The Spyhunter anti-malware is a collection of programs that can be used to scan for malware and clean infected computers. You can also use full anti-malware program in this case which is the better option because it also offers protection.

How to remove "ransomware or malware"

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.
  1. Download Spyhunter anti-malware.
  1. 2.  After program has been downloaded, double-click to open it. User will have to install the program. Click on Spyhunter.exe to start the process.
User Account Control dialog may appear, asking you to allow the following program to make changes to this computer. Click "Yes" or "Run" to proceed with the installation. User can also choose variety of languages. Click Ok and the installation will begin with a welcome massage for Spyhunter. Click Next to continue to the next step. User will also have to accept Spyhunter license agreement by clicking on "I accept the agreement" and click Next. Spyhunter will ask user to read important information provided before continuing. Once done click on next to go to the next step. User can choose where to install the program. By default - C:Program FilesEnigma Software GroupSpyHunter. The process will continue and then Spyhunter will install. The installation process may take awhile, depending on a computer system performance. Once the installation is done, click Finish.
  1. 3. Update the software before scanning. Once program has been updated go to scan. You can choose from a free trial version or activate license. It is recommended to buy full version as the trial will not protect computer system.
  1. 4. The scan process will begin. The scan process may take awhile, depending on a computer system performance.
  1. 5. Once the scan is complete you can choose between delete or quarantine the viruses. The quarantine option is recommended and since the malware is active a reboot will be required to finish process.

Click here for guide of how to uninstall spyhunter.

Decrypt ransomware files.

Good news is that we can now use decryption programs. A lot of security companies like Kasperky lab, bitdefender and more has developed a program that is fully capable of decryption key for ransomware malware. You can find this programs anywhere on the internet but it is strongly suggested to download this programs from official websites. NOTE: It may take a long time for your files to be decrypted depending on your PC performance.