Remove DMA Locker 4.0 Ransomware and Restore AES and RSA Encrypted Files - How to, Technology and PC Security Forum |

Remove DMA Locker 4.0 Ransomware and Restore AES and RSA Encrypted Files

dmalocker-ransomware-sensorstechforumThe latest by the notorious malware variants DMA Locker is now here, and it means business. Dubbed “!DMALOCK4.0” In its hex prefix, the 4th version of the ransomware uses two ciphers to encrypt the files of infected users – AES and RSA algorithms. The encrypted files do not have any extension, and a scary ransom message appears with a padlock picture to motivate infected victims to pay the 1 BitCoin ransom money. Since there is no guarantee that paying the ransom will get the files decrypted it is strongly advisable NOT to pay anything and remove DMA Locker 4.0 from the affected PC, instructions for which you may find below. If you want to restore your files, we strongly advise reading this article for more information on your options.

Threat Summary

NameDMA Locker 4.0
Short DescriptionThe ransomware encrypts files with the RSA-4096 algorithm and AES-256 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a “cryptinfo.txt” file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DMA Locker 4.0


Malware Removal Tool

User ExperienceJoin our forum to Discuss DMA Locker 4.0 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

DMA Locker 4.0 Distribution

The notorious DMA Locker did not change much when it comes to its spread. It still uses a malicious .exe process that is most likely obfuscated to avoid anti-malware detection. The cyber-threat has even been reported to hide its malicious .exe files, as PDF documents, like the example posted below:


This suggests that the ransomware may have been spread via malicious spam mails sent out to users written to convince them to either open an attachment or click on a malicious URL. Researchers have successfully detected that a Neutrino exploit kit has been used to spread DMA Locker 4.0 suggesting that it may be spread primarily via URLs posted online or in spam messages.

DMA Locker 4.0 In Detail

Once DMA Locker has confirmed successful infection by connecting to the C&C (Command and Control) center of the cyber-criminals, the cyber-threat drops the following malicious files in %Program Data%:

A “select.bat” file

This file may be used to delete the shadow volume copies of the infected computer, by executing an escalated privilege command, called “delete shadows”:

→ “vssadmin delete shadows /for={Volume of the drive} /all”

The other function of “select.bat” has been reported to be to display the “cryptinfo.txt” file on system startup.

Furthermore, the select.bat file may add registry entries that contain names such as “Windows Firewall” or “Windows Update”.

A “cryptinfo.txt” file

This file is most likely the ransom message which may be displayed every time you boot Windows. The ransom message is as follows:

→ ! ! ! ATTENTION ! ! !

A “svchosd.exe” application:

This application is most likely the encryptor. It may run on system startup and encrypt files with the following file extensions:


The ransomware uses two algorithms to encrypt the files AES and RSA ciphers.

To understand how the files are encrypted, please visit the following related article:
Ransomware Encryption Explained – Why Is It So Effective?

The encrypted files do not have any extension set on them, but they are still inaccessible. After encryption, Malwarebytes has reported that DMA Locker 4.0 displays the following window:


DMA Locker – The Good News

The good news about DMA Locker is that it requires internet access to send the RSA encrypted AES key for decryption of the files. This is an opportunity, because if the ransomware infects your computer and you stop the connection during the infection process, it will not encrypt your files.

It may also be an opportunity to decrypt your files if you are a bit too late. Since the ransomware sends the key via internet connection, this means that it opens up a port on the infected machine. This represents a good opportunity to get the key using a network sniffer to sniff information from the packets of data sent to the malicious C&C server.

For more information on how to use Wireshark to restore your files, see the following article:
Use Wireshark to Decrypt Encoded Files by Ransomware

Removing DMA Locker 4.0

Whatever the case may be for you, it is almost imperative to remove DMA Locker 4.0 from your PC. This can happen by following the step-by-step instructions prepared for you below. They also contain alternative methods that may help you restore at least a small portion of your files.

Manually delete DMA Locker 4.0 from your computer

Note! Substantial notification about the DMA Locker 4.0 threat: Manual removal of DMA Locker 4.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DMA Locker 4.0 files and objects
2.Find malicious files created by DMA Locker 4.0 on your PC
3.Fix registry entries created by DMA Locker 4.0 on your PC

Automatically remove DMA Locker 4.0 by downloading an advanced anti-malware program

1. Remove DMA Locker 4.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by DMA Locker 4.0 in the future
3. Restore files encrypted by DMA Locker 4.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.