DMA Locker 3.0 Ransomware Released With Stronger Encryption of Files - How to, Technology and PC Security Forum |

DMA Locker 3.0 Ransomware Released With Stronger Encryption of Files

shutterstock_253413775Since the older version of DMA Unlocker, which was detected at the beginning of February encrypted files that were eventually able to be decrypted, expectedly enough we now see a newer version written by cyber-crooks which uses even more advanced encryption methods. The newer version also has other changes in how it works and users who have seen its red screen illustrated further in this arStellar Phoenix Data Recovery Technicians License(Pro version with more features)ticle, should not pay the 4 BTC ransom asked to decrypt their files and seek alternative methods for file restoration.

Threat Summary

NameDMA Locker 3.0
Short DescriptionThe ransomware encrypts files with the RSA-2048 algorithm and AES-256 ciphers and asks a ransom of 4 BTC for file decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DMA Locker 3.0


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.


Since the previous version of DMA Locker had flaws in it and the files encrypted by the malware were decryptable, most likely the malware writers behind it decided to update it, fixing such flaws and using even more sophisticated encryption.

At the start, the ransomware has been reported by Malwarebytes researchers to check for the following Windows processes:

  • rstrui.exe
  • ShadowExplorer.exe
  • sesvc.exe
  • cbengine.exe

If any of the processes is detected, the malware begins to close them, and it may delete your Shadow backups, in case you have any.

The DMA Ransomware also may create several different executable files in the computer upon infection. The files are differently named executables, and they may be located in the following file folders:

commonly used file names and folders

There are also two text files that are located in the %ProgramData% folder, named as the following:

  • Cryptinfo.txt
  • Date_1.txt

Besides those files, DMA Locker may create the following registry subkey, to make its malicious executable run every time upon system startup:

  • In “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”, the REG_SZ subkey, named “{malicious exe name}”

DMA Locker 3.0 – File Encryption

To encrypt the user’s files, the ransomware uses a special module to which it executes a call type of command which sets it to action. Malware researchers report that the AES-256 encryption algorithm and after careful analysis, they believe it uses specific strategy for encrypting a file. One element may be the larger header and also, the encryptor may encrypt portions of the code of the file, not the whole code.

However, unlike the previous version, this version of DMA Locker may use a different RSA key for every file it encrypts, similar to CryptoWall 3.0. And not only this, but the ransomware also provides the user with a custom decryptor allowing him to pay the ransom money which is double now (4 BTC instead of 2 for the previous version) and decrypt the files himself.


DMA Locker 3.0 – Distribution

To be spread out into the open, DMA locker uses several different techniques. For, starters this ransomware is not focused much on hiding. In fact, its malicious executable may be distributed directly via malicious URL’s that directly download it or via email attachments. Not only this, but the malware does not delete itself after such situations leaving it open for malware researchers like the specialists in Malwarebytes to analyze it thoroughly.

Remove DMA Locker 3.0 and Restore Encrypted Files

To remove DMA Locker, we suggest using the manual or automatic deletion instructions below. In case you wish to restore files that are encrypted by DMA Locker, unfortunately, there is no relevant solution for direct decryption of the 3.0 version. However, we strongly advise you to follow our forum for updates in case a solution is available and in the meantime you may try the alternative restoration methods from step “.3” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share