DMA Locker 3.0 Ransomware Released With Stronger Encryption of Files - How to, Technology and PC Security Forum |

DMA Locker 3.0 Ransomware Released With Stronger Encryption of Files

shutterstock_253413775Since the older version of DMA Unlocker, which was detected at the beginning of February encrypted files that were eventually able to be decrypted, expectedly enough we now see a newer version written by cyber-crooks which uses even more advanced encryption methods. The newer version also has other changes in how it works and users who have seen its red screen illustrated further in this arStellar Phoenix Data Recovery Technicians License(Pro version with more features)ticle, should not pay the 4 BTC ransom asked to decrypt their files and seek alternative methods for file restoration.

Threat Summary

NameDMA Locker 3.0
Short DescriptionThe ransomware encrypts files with the RSA-2048 algorithm and AES-256 ciphers and asks a ransom of 4 BTC for file decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DMA Locker 3.0


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.


Since the previous version of DMA Locker had flaws in it and the files encrypted by the malware were decryptable, most likely the malware writers behind it decided to update it, fixing such flaws and using even more sophisticated encryption.

At the start, the ransomware has been reported by Malwarebytes researchers to check for the following Windows processes:

  • rstrui.exe
  • ShadowExplorer.exe
  • sesvc.exe
  • cbengine.exe

If any of the processes is detected, the malware begins to close them, and it may delete your Shadow backups, in case you have any.

The DMA Ransomware also may create several different executable files in the computer upon infection. The files are differently named executables, and they may be located in the following file folders:

commonly used file names and folders

There are also two text files that are located in the %ProgramData% folder, named as the following:

  • Cryptinfo.txt
  • Date_1.txt

Besides those files, DMA Locker may create the following registry subkey, to make its malicious executable run every time upon system startup:

  • In “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”, the REG_SZ subkey, named “{malicious exe name}”

DMA Locker 3.0 – File Encryption

To encrypt the user’s files, the ransomware uses a special module to which it executes a call type of command which sets it to action. Malware researchers report that the AES-256 encryption algorithm and after careful analysis, they believe it uses specific strategy for encrypting a file. One element may be the larger header and also, the encryptor may encrypt portions of the code of the file, not the whole code.

However, unlike the previous version, this version of DMA Locker may use a different RSA key for every file it encrypts, similar to CryptoWall 3.0. And not only this, but the ransomware also provides the user with a custom decryptor allowing him to pay the ransom money which is double now (4 BTC instead of 2 for the previous version) and decrypt the files himself.


DMA Locker 3.0 – Distribution

To be spread out into the open, DMA locker uses several different techniques. For, starters this ransomware is not focused much on hiding. In fact, its malicious executable may be distributed directly via malicious URL’s that directly download it or via email attachments. Not only this, but the malware does not delete itself after such situations leaving it open for malware researchers like the specialists in Malwarebytes to analyze it thoroughly.

Remove DMA Locker 3.0 and Restore Encrypted Files

To remove DMA Locker, we suggest using the manual or automatic deletion instructions below. In case you wish to restore files that are encrypted by DMA Locker, unfortunately, there is no relevant solution for direct decryption of the 3.0 version. However, we strongly advise you to follow our forum for updates in case a solution is available and in the meantime you may try the alternative restoration methods from step “.3” below.

Manually delete DMA Locker 3.0 from your computer

Note! Substantial notification about the DMA Locker 3.0 threat: Manual removal of DMA Locker 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DMA Locker 3.0 files and objects
2. Find malicious files created by DMA Locker 3.0 on your PC
3. Fix registry entries created by DMA Locker 3.0 on your PC

Automatically remove DMA Locker 3.0 by downloading an advanced anti-malware program

1. Remove DMA Locker 3.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by DMA Locker 3.0 in the future
3. Restore files encrypted by DMA Locker 3.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share