Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove DMA Locker 4.0 Ransomware and Restore AES and RSA Encrypted Files

dmalocker-ransomware-sensorstechforumThe latest by the notorious malware variants DMA Locker is now here, and it means business. Dubbed “!DMALOCK4.0” In its hex prefix, the 4th version of the ransomware uses two ciphers to encrypt the files of infected users – AES and RSA algorithms. The encrypted files do not have any extension, and a scary ransom message appears with a padlock picture to motivate infected victims to pay the 1 BitCoin ransom money. Since there is no guarantee that paying the ransom will get the files decrypted it is strongly advisable NOT to pay anything and remove DMA Locker 4.0 from the affected PC, instructions for which you may find below. If you want to restore your files, we strongly advise reading this article for more information on your options.

Threat Summary

Name DMA Locker 4.0
Type Ransomware
Short Description The ransomware encrypts files with the RSA-4096 algorithm and AES-256 ciphers and asks a ransom for decryption.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a “cryptinfo.txt” file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DMA Locker 4.0

Download

Malware Removal Tool

User Experience Join our forum to Discuss DMA Locker 4.0 Ransomware.

DMA Locker 4.0 Distribution

The notorious DMA Locker did not change much when it comes to its spread. It still uses a malicious .exe process that is most likely obfuscated to avoid anti-malware detection. The cyber-threat has even been reported to hide its malicious .exe files, as PDF documents, like the example posted below:

pdf-sensorstechforum-dma-locker-malware

This suggests that the ransomware may have been spread via malicious spam mails sent out to users written to convince them to either open an attachment or click on a malicious URL. Researchers have successfully detected that a Neutrino exploit kit has been used to spread DMA Locker 4.0 suggesting that it may be spread primarily via URLs posted online or in spam messages.

DMA Locker 4.0 In Detail

Once DMA Locker has confirmed successful infection by connecting to the C&C (Command and Control) center of the cyber-criminals, the cyber-threat drops the following malicious files in %Program Data%:

A “select.bat” file

This file may be used to delete the shadow volume copies of the infected computer, by executing an escalated privilege command, called “delete shadows”:

→ “vssadmin delete shadows /for={Volume of the drive} /all”

The other function of “select.bat” has been reported to be to display the “cryptinfo.txt” file on system startup.

Furthermore, the select.bat file may add registry entries that contain names such as “Windows Firewall” or “Windows Update”.

A “cryptinfo.txt” file

This file is most likely the ransom message which may be displayed every time you boot Windows. The ransom message is as follows:

→ ! ! ! ATTENTION ! ! !
ALL YOUR FILES HAVE BEEN ENCRYPTED!
– IF YOU WAN TO RECOVER YOUR FILES
FOLLOW THE INSTRUCTIONS AT THIS WEBSITE:
http://5.8.63.31/crypto/client_payment_instructions?botID={UNIQUE ID OF VICTIM PC HERE}

A “svchosd.exe” application:

This application is most likely the encryptor. It may run on system startup and encrypt files with the following file extensions:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

The ransomware uses two algorithms to encrypt the files AES and RSA ciphers.

To understand how the files are encrypted, please visit the following related article:
Ransomware Encryption Explained – Why Is It So Effective?

The encrypted files do not have any extension set on them, but they are still inaccessible. After encryption, Malwarebytes has reported that DMA Locker 4.0 displays the following window:

dmalocker-4.0-ransom-note-instructions-sensorstechforum-remove

DMA Locker – The Good News

The good news about DMA Locker is that it requires internet access to send the RSA encrypted AES key for decryption of the files. This is an opportunity, because if the ransomware infects your computer and you stop the connection during the infection process, it will not encrypt your files.

It may also be an opportunity to decrypt your files if you are a bit too late. Since the ransomware sends the key via internet connection, this means that it opens up a port on the infected machine. This represents a good opportunity to get the key using a network sniffer to sniff information from the packets of data sent to the malicious C&C server.

For more information on how to use Wireshark to restore your files, see the following article:
Use Wireshark to Decrypt Encoded Files by Ransomware

Removing DMA Locker 4.0

Whatever the case may be for you, it is almost imperative to remove DMA Locker 4.0 from your PC. This can happen by following the step-by-step instructions prepared for you below. They also contain alternative methods that may help you restore at least a small portion of your files.

Manually delete DMA Locker 4.0 from your computer

Note! Substantial notification about the DMA Locker 4.0 threat: Manual removal of DMA Locker 4.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DMA Locker 4.0 files and objects
2.Find malicious files created by DMA Locker 4.0 on your PC
3.Fix registry entries created by DMA Locker 4.0 on your PC

Automatically remove DMA Locker 4.0 by downloading an advanced anti-malware program

1. Remove DMA Locker 4.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by DMA Locker 4.0 in the future
3. Restore files encrypted by DMA Locker 4.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.