Home / Spyware Help / DMA Locker Ransomware Removal Guide

DMA Locker Ransomware Removal Guide

by 0 Comments

Do you know what DMA Locker Ransomware is?

DMA Locker Ransomware is the name of a serious malware infection that may ring the bell of a more experienced computer user. As a matter of fact, our researchers say that this Trojan ransomware is the 4th generation variant of an infection known as MadLocker/DMA Ransomware. If this malware finds a way to your system, you can be sure that all your documents, photos, and videos will get encrypted and you will not be able to decrypt them and access them again unless you pay the ransom fee or you have a copy of your files as a backup on an external disk. Unfortunately, even paying the ransom is not a guarantee that your files will be decrypted. You should not forget that you are dealing with criminals and they are not really the trustworthy kind. Their only aim is to extort money from you; the rest is not their problem indeed. According to our researchers, it is essential that you remove DMA Locker Ransomware if you want to use your computer ever again.

In order to be able to protect your computer from this and similar Trojan ransomware infections, it is essential to understand how they travel on the web and how it is possible to get infected by them. Most users do not know that they are the ones who are responsible for downloading and activating most Trojans and other malware threats as well. It does not mean, of course, that there are no infections that can sneak onto your computer without your knowledge and permission, i.e., right behind your back. But usually these infections require your click. In this case, you need to click on a malicious file attached to a spam e-mail. In fact, spam mails are the most often used conduits when it comes to Trojan ransomware programs.DMA Locker Ransomware Removal GuideDMA Locker Ransomware screenshot
Scroll down for full removal instructions

It is quite easy to deceive people with a seemingly official sender name and subject. Who would not open a mail that seems to be an urgent invoice or an error message? And, of course, once you open such a spam, why would you not download and run the attached file since it may be an “important” invoice or other document you “need to” check right away? At least, this is what the criminals behind such spam mails want to make you think and feel. And, they succeed, too, because otherwise DMA Locker Ransomware could not even spread over the web. The lesson here is definitely that you should not take your inbox for granted. Just because your mails are protected by a spam filter, such misleading spams can still drop through. You should always make sure that the mails you open and the links and files you click on in these mails are specifically sent to you. It is worth double-checking instead of falling into such a trap and end up with all your files encrypted. We advise you to remove DMA Locker Ransomware the moment you realize that this beast has set its foot on your system.

This Trojan ransomware, like many others in this category, mainly targets your most personal files (documents, videos, photos, archives) so that the criminals behind this attack would have leverage. If they would take only useless files hostage, who would actually pay the ransom fee, right? This infection uses a built-in Windows encryption algorithm called AES-256 to encrypt the targeted files. The key it uses for both encryption and decryption gets also encrypted with RSA-2048 algorithm, which makes it impossible to crack it and decipher your files without the private key. That is why the criminals store this key on a remote server. Once the damage is done, you will see the ransom note screen that fills your screen on a warning red background.

This note informs you about the fact that your files have been encrypted and you have to pay 1 Bitcoin, which is around 440 US dollars, if you want to decrypt your files. There are also some details about how to make a Bitcoin transfer. Once you pay and get a transaction ID, you are supposed to insert it in the given field and press the Check Payment button. It could take a few hours for these crooks to “get back to you” after they check if the payment is really there, and then, the Decrypt Files button should be enabled if everything goes smooth. However, do not forget that these are criminals and they probably could not care less about your files and if you can use them ever again or not. Another thing about DMA Locker Ransomware is that it is possible that the infection loses connection with the Command and Control (C2) servers, which is a common phenomenon. But this loss of communication can result in the loss of your private key as well since even if you transfer the fee, the program will not be able to contact the servers to get your decryption key. Although it is totally your decision to make if you want to pay or not, we suggest that you delete DMA Locker Ransomware as soon as possible.

You are given 4 days to pay or else the fee becomes 1.5 Bitcoins. In another 4 days the key will be deleted if you do not transfer the money. This ransom note may scare many users who would be ready to pay right away. We hope that it is clear now for you why it is so important to regularly make backup copies onto an external drive. In such a nightmarish situation you could be saved. But even if you have such a copy luckily, you should remove DMA Locker Ransomware first and only then transfer the clean files back onto your PC.

Fortunately, this Trojan ransomware does not block your screen and system files either; therefore, you can quite easily eliminate this threat. Please follow our manual guide below if you feel up to the task. We also recommend that you install a reputable security tool to protect your computer from malware attacks if you do not want to go on a manual hunt every time an infection enters your PC. It is just as important to keep all your programs and drivers updated if you want to do more for the protection of your virtual world.

DMA Locker Ransomware Removal from Windows

  1. Tap Win+Q and enter regedit in the box. Hit the Enter key.
  2. Find the following registry value names and remove them:
    HKCU\Software\dma_id
    HKCU\Software\dma_public_key
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update (Before you remove this value name, check if its value data is set to "select.bat")
  3. Tap Win+E to launch Windows File Explorer.
  4. Find %ALLUSERSPROFILE% folder and delete these files: cryptoinfo.txt, select.bat, and svchosd.exe
  5. Close the editor.
  6. Empty the Recycle Bin.
  7. Reboot your system.

In non-techie terms:

DMA Locker Ransomware is a dangerous Trojan infection that is not unknown to researchers as it seems to be the 4th version of a well-known malware program called MadLocker/DMA Ransomware. This infection is a severe hit against your operating system and your files. In fact, all your personal files get encrypted with an algorithm that you cannot decipher without the decryption key or private key that the criminals store on a remote server until you pay the demanded ransom fee. If you do not pay within 8 days, this key will be deleted. But do not be too hopeful even if you are willing to pay the fee because it is quite possible that you will not be able to use your files again unless you have an external backup. Although it will not give your files back, we recommend that you delete DMA Locker Ransomware immediately if you want to restore order on your PC. If you want to protect your computer from similar attacks, we suggest that you use a professional malware removal application.