DMA Locker Ransomware

Also Known As: DMA Locker virus
Distribution: Low
Damage level: Severe

DMA Locker ransomware removal instructions

What is DMA Locker?

DMA Locker is ransomware that stealthily infiltrates systems and encrypts stored data . Following successful encryption, DMA Locker displays a message stating that victims must pay a ransom in exchange for a private key required to decrypt their files.

The displayed lockscreen contains all information regarding encryption and payment (for example, 'What is DMA Locker', 'What is Bitcoin?', etc.) It is stated that the victim must pay a 15 Bitcoin (BTC) ransom (at time of research, equivalent to US$6491.25), otherwise the encrypted data will be lost. In addition, users are provided with step-by-step payment instructions. Note that ransoms demanded by other ransomware-type viruses usually fluctuates between 0.5 and 1.5 BTC, making DMA Locker's ransom considerably higher. Unfortunately, there are currently no tools capable of decrypting the files. Therefore, the best solution to this problem is to restore your system from a backup.

Screenshot of a message encouraging users to contact the developers of DMA Locker ransomware to decrypt their compromised data:

DMA-Locker decrypt instructions

Update - February 3, 2016. Cyber criminals have updated the ransom demanding message:

dma locker ransomware updated version

There are many ransomware-type viruses sharing similarities with DMA Locker including, for example, CryptoWall, CryptoJoker, XRTN, and TeslaCrypt. These ransomware viruses have identical behavior - they infiltrate systems, encrypt files, and demand for a ransom. There is no guarantee that your files will be decrypted even if you pay the ransom. In doing so, you will support the malicious business of cyber criminals. For these reasons, you should never pay the ransom or attempt to contact the developers of ransomware. DMA Locker and other similar viruses are often proliferated via malicious email attachments, P2P networks, or fake software updates. Be careful when opening suspicious emails and downloading data from untrusted sources. In addition, keep your installed software up-to-date and use a legitimate anti-spyware or anti-virus suite.

Computer users who are infected with an older variant of DMA Locker ransomware can use a derypter created by Fabian Wosar to decrypt their files for free.

DMA Locker demanding ransom payment to decrypt files:

All your personal files are LOCKED!
What’s happened?
*All your important files (including hard disks, networks disks, flash, USB) are encrypted.
*All of files are locked with asymmetric algorithm using AES-256 and then RSA-2048 cipher.
*You are not possible to unlock your files because all your backups are removed.
*Only way to unlock your files is to pay us 536 GBP in Bitcoin currency (2.0 BTC). After payment we will send you decryption key automatically, which allow you to unblock files. If files unlocking procedure is already working, you can easily torn off your computer and continue files unlocking after nest startup. To continue healing your files, copy and paste the same decryption key to the “decryption key” field and press “Decrypt” button. The files recovering will be continued.

Update 28 April 2016 - Cyber criminals have updated DMA Locker ransomware. It now asks or a 4 BTC ransom and has and has a new ransom demanding message. The encrypted files now get a !DMALOCK3.0 prefix.

Screenshot of cryptinfo.txt file (ransom demanding message created by DMA Locker ransomware):

dma locker dmalock3 updated variant cryptinfo.txt file

Text presented in cryptinfo.txt file:

Attention! ! !
All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted!

Stay calm.

You can recover all your data by making a payment of 4 BTC (1072 GBP) in Bitcoin currency in order to receive a decryption key.

In order to purchase Bitcoins you can use https://coincafe.com/signup.php
After buying BTC send the equivalent of 4 BTC (1072 GBP) to our BTC address:

-

After payment contact us to receive your decryption key. In mail title write your unique ID: DMALOCK -

ATTENTION!
To ensure you that you can recover your data we are able to decrypt two files of your choice that are not larger that 1MB!

ATTENTION!
Even if your antivirus has removed our program, your data may be still recovered!

Update - May 20, 2016 - Cyber criminals have released a new variant of this ransomware (now called “DMALocker 4.0”) This variant doesn’t add any extensions to the encrypted files, it adds a content prefix "!DMALOCK4.0" (first 9 bytes of encrypted files contains a string !DMALOCK4). Ransom demanding note (cryptinfo.txt) is only present in the installation folder.

Screenshot of “DMALocker 4.0” ransomware:

dmalocker 4.0 ransomware

Ransom demanding message:

All your personal files are LOCKED!

WHAT’S HAPPENED?
* All your important files (including => hard disks, network disks, flash, USB) are encrypted.
* All the files are locked with asymmetric algorithm using AES-256 and then RSA-2048 chipper.
* You can’t restore your files because all your backups have been deleted.
* Only way to recover your files is to pay us 1 BTC
* As a proof your can decrypt 1 file FOR FREE by clicking here:

HOW TO PAY US AND DECRYPT YOUR FILES?

1. If your are OFFLINE you can contact us via e-mail: january0040@gmx.com, dma4004@zerobit.en (week4004@fastmail.com) and we will provide you instructions about how to decrypt your files.
2. To pay us, you have to use Bitcoin currency. You can easily buy Bitcoins at following sites:
*https://coincafe.com/
*https://bitquick.co/
*https://www.coinbase.com/

3. If you already have Bitcoins, pay us 1 BTC to the following Bitcoin address:
4. If you have paid, enter following site to get your transaction id.
Click this button to show tutorial how to locate your transaction id:
5. When you have located Transaction ID, paste it to ‘TRANSACTION ID’ field below and, click the “CHECK PAYMENT” button. Confirming your payment by our servers can take up to several hours (we require some bitcoins transaction confirmations). When your payment has been confirmed, the ‘DECRYPT FILES’ button will enable, just click it to decrypt your files.

DMA Locker 4.0 now has a website explaining victims how to pay the ransom:

dmalocker 4.0 website

Text presented in this website:

Your files have been encrypted!
To decrypt your files you have to pay 1 Bitcoins (BTC).
If the payment is not made and confirmed until [Date] the cost of decrypting your files will increase to 1.5 BTC.
If the payment is not made and confirmed until [Date] we will destroy the key to decrypt your files and it will be impossible to decrypt your files anymore.

How to make payment?
1. Firstly, you have to buy Bitcoins (BTC). You can buy Bitcoins easily at the following site (you can skip this step if you already have Bitcoins).
2. Send 1 BTC to the following Bitcoin address - You don’t have to send the exact amount above. You have to send at least this amount for our systems to confirm payment.
3. Locate the Transaction ID of your payment, enter it into the DMA Locker ’TRANSACTION ID’ field and click the ‘CHECK PAYMENT’ button. To locate the Transaction ID of your payment please refer to the instructions below.
4. When you have entered a valid Transaction ID, our system are going to confirm it. We require at least 3 Bitcoin Transaction confirmations. It can take some time to confirm the Transaction, please be patient. After our systems have confirmed the Transaction, the DMA Locker program will unlock the “DECRYPT” button. Just click it to decrypt all your files :)

How to locate the Transaction ID of your payment?
1. Firstly, go to the following site: blockchain.info
2. There will be a list of Transactions displayed. Just locate your Transaction on the list (your Transaction should be on top of the list).
3. Use the image below to locate your Transaction ID.

DMA Locker ransomware removal:

Instant automatic removal of DMA Locker virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of DMA Locker virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the DMA Locker virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the DMA Locker ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining DMA Locker ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of DMA Locker are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by DMA Locker, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

 To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as DMA Locker ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove DMA Locker ransomware: