“All your personal files are LOCKED!”– Remove Fake DMA Locker 3.0 - How to, Technology and PC Security Forum | SensorsTechForum.com

“All your personal files are LOCKED!”– Remove Fake DMA Locker 3.0

This article aims to help you remove the fake DMA Locker 3.0 ransomware virus and restore files with the !Encrypt! file marker in their hex.

A ransomware virus, named fake DMA Locker 3.0 has been reported by malware researchers to use the combination of AES and RSA encryption algorithm to encipher the files on the computers infected by the virus. The virus also uses the ransom note of DMA Locker 3.0 which is titled “All your personal files are LOCKED!”, but does not have a name itself. The fake DMA Locker 3.0 ransomware’s end goal is to get the victims of the virus to pay 1 BTC in order to get their files restored back to working state. In case you have been infected by this virus, we advise you to read this article.

Threat Summary

NameFake DMA Locker 3.0
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the compromised computer after which demands the victims to pay 1 BTC to get them to open again.
SymptomsDMA Locker 3.0 ransom note (on the picture above) is displayed.
Distribution MethodSpam Emails, malciious Email Attachments or URLs embedded on e-mails that lead to the infection links or files, executable files, fake setups, fake updates.
Detection Tool See If Your System Has Been Affected by Fake DMA Locker 3.0


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Fake DMA Locker 3.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Fake DMA Locker 3.0 – Infection Methods

In order to infect it’s victims, the fraudulent DMA Locker 3.0 ransomware may use spam campaigns that help it to come 1 step closer to it’s end goal – to get the victims to pay the ransom. To do this, the cyber-criminals may undertake multiple different activities such as:

  • Distributing the malware via spam e-mails, pretending it is an important invoice attached to the e-mail.
  • Via fake Java or Flash Player updates advertised online or via adware.
  • Through other files, pretending to be key generators, activators or game cracks uploaded on suspicious sites.

Once the victim has opened the malicious file, which is usually a loader, the fake DMA Locker 3.0 drops it’s malicious files on the victim’s computer, among which is the fake process svchosd.exe. It most likely aims to mimic the legitimate process svchost.exe. This malicious file and other files of the fake DMA Locker 3.0 infection may be dropped under different names in various Windows locations, for example:

Fake DMA Locker 3.0 – Analysis

In addition to dropping the files, the Fake DMA Locker 3.0 ransomware virus is responsible for series of malicious activities on the infected computers. The first one of those activities is to obtain administrative permissions via the fake process it executes. Then, the Fake DMA Locker 3.0 virus may modify the registry sub-keys of Windows that are responsible for the running of the file that encrypts data on your computer. The keys are as follows:

  • Run
  • RunOnce

They are located in the Windows Registry Editor. You can use the following command to see which values are added in the Run and RunOnce keys:

→wmic startup get Caption, Location, Command /format:list > 0 & notepad 0

After this it will save the results in a notepad file.

Besides this activity the fake DMA Locker 3.0 virus may also delete the shadow copies of the infected computer, eliminating the option to restore the files via this feature. The commands may be the following:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Then, the fake DMA Locker virus may proceed with encrypting your files.

Fake DMA Locker’s Encryption Process

The encryption of this virus is a more sophisticated one. It uses a combination of RSA as well as AES encryption algorithms to render the files on the infected computer unable to be opened. The ransomware may attack the following file types:


After the encryption has been completed, no file extension is added to the encrypted files. The only method to see if the files are encrypted by this specific variant is to check their file marker in a hex editor or reader software. The file marker !Encrypt! is appended to all the encoded documents, videos, audio files and other important documents.

The ransomware also adds the DMA Locker 3.0’s ransom note which is as follows:

“All your personal files are LOCKED!
* All your important files(including hard disks, network disks, flash, USB) are encrypted.
* All of files are locked with asymetric algorithm using AES-256 and then RSA-2048 cipher.
* You are not possible to unlock your files because all your backups are removed.
* Only way to unlock your files is to pay us 1500 GBP in Bitcoin currency ( 1.0 BTC ).
After payment we will send you decryption key automatically, which allow you to unlock files.
1. Please read the steps carefully.
2. To pay us, you have to use Bitcoin currency. You can easily buy Bitcoins at following sites:
* https://www.coinfloor.co.uk/
* https://localbitcoins.com/
* https://www.coinbase.com/
3. If you already have Bitcoins, pay us 1.0 BTC (1500 GBP) on following Bitcoin address:
4. After payment, necessarily contact with us to get your decryption key:
[email protected] In mail title write your unigue ID:
5. We will automatically send you decryption key file after bitcoin transfer .
When you receive your decryption key file, press “OPEN” button and choose your received
decryption key file.
Then, press the “UNLOCK FILES” button and it will start unlocking all your files.
* You have 96 hours to pay us!
* After this time ransom will grow to
200 percent
* Ransom grow time:”

Remove Fake DMA Locker 3.0 and Get Back Your Files

After this ransomware has been identified, you can remove it by following the removal instructions down below. They are divided in manual and automatic instructions and experts strongly suggest to remove the virus automatically for best results.

After removing this threat, it is strongly advisable to focus on restoring the files encrypted by it using alternative methods, like the ones below in step “2. Restore files encrypted by Fake DMA Locker 3.0”. They are specifically designed to assist you in recovering at least some of the encrypted files since at the moment there is no decrypter for this virus that can directly decode the files. However, we advise you to check this article often as we will update it as soon as there is one available.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share