Remove DMA Locker 4.0 Ransomware and Restore AES and RSA Encrypted Files - How to, Technology and PC Security Forum |

Remove DMA Locker 4.0 Ransomware and Restore AES and RSA Encrypted Files


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by DMA Locker 4.0 and other threats.
Threats such as DMA Locker 4.0 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

dmalocker-ransomware-sensorstechforumThe latest by the notorious malware variants DMA Locker is now here, and it means business. Dubbed “!DMALOCK4.0” In its hex prefix, the 4th version of the ransomware uses two ciphers to encrypt the files of infected users – AES and RSA algorithms. The encrypted files do not have any extension, and a scary ransom message appears with a padlock picture to motivate infected victims to pay the 1 BitCoin ransom money. Since there is no guarantee that paying the ransom will get the files decrypted it is strongly advisable NOT to pay anything and remove DMA Locker 4.0 from the affected PC, instructions for which you may find below. If you want to restore your files, we strongly advise reading this article for more information on your options.

Threat Summary

NameDMA Locker 4.0
Short DescriptionThe ransomware encrypts files with the RSA-4096 algorithm and AES-256 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a “cryptinfo.txt” file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DMA Locker 4.0


Malware Removal Tool

User ExperienceJoin our forum to Discuss DMA Locker 4.0 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

DMA Locker 4.0 Distribution

The notorious DMA Locker did not change much when it comes to its spread. It still uses a malicious .exe process that is most likely obfuscated to avoid anti-malware detection. The cyber-threat has even been reported to hide its malicious .exe files, as PDF documents, like the example posted below:


This suggests that the ransomware may have been spread via malicious spam mails sent out to users written to convince them to either open an attachment or click on a malicious URL. Researchers have successfully detected that a Neutrino exploit kit has been used to spread DMA Locker 4.0 suggesting that it may be spread primarily via URLs posted online or in spam messages.

DMA Locker 4.0 In Detail

Once DMA Locker has confirmed successful infection by connecting to the C&C (Command and Control) center of the cyber-criminals, the cyber-threat drops the following malicious files in %Program Data%:

A “select.bat” file

This file may be used to delete the shadow volume copies of the infected computer, by executing an escalated privilege command, called “delete shadows”:

→ “vssadmin delete shadows /for={Volume of the drive} /all”

The other function of “select.bat” has been reported to be to display the “cryptinfo.txt” file on system startup.

Furthermore, the select.bat file may add registry entries that contain names such as “Windows Firewall” or “Windows Update”.

A “cryptinfo.txt” file

This file is most likely the ransom message which may be displayed every time you boot Windows. The ransom message is as follows:

→ ! ! ! ATTENTION ! ! !

A “svchosd.exe” application:

This application is most likely the encryptor. It may run on system startup and encrypt files with the following file extensions:


The ransomware uses two algorithms to encrypt the files AES and RSA ciphers.

To understand how the files are encrypted, please visit the following related article:
Ransomware Encryption Explained – Why Is It So Effective?

The encrypted files do not have any extension set on them, but they are still inaccessible. After encryption, Malwarebytes has reported that DMA Locker 4.0 displays the following window:


DMA Locker – The Good News

The good news about DMA Locker is that it requires internet access to send the RSA encrypted AES key for decryption of the files. This is an opportunity, because if the ransomware infects your computer and you stop the connection during the infection process, it will not encrypt your files.

It may also be an opportunity to decrypt your files if you are a bit too late. Since the ransomware sends the key via internet connection, this means that it opens up a port on the infected machine. This represents a good opportunity to get the key using a network sniffer to sniff information from the packets of data sent to the malicious C&C server.

For more information on how to use Wireshark to restore your files, see the following article:
Use Wireshark to Decrypt Encoded Files by Ransomware

Removing DMA Locker 4.0

Whatever the case may be for you, it is almost imperative to remove DMA Locker 4.0 from your PC. This can happen by following the step-by-step instructions prepared for you below. They also contain alternative methods that may help you restore at least a small portion of your files.

Note! Your computer system may be affected by DMA Locker 4.0 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as DMA Locker 4.0.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove DMA Locker 4.0 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove DMA Locker 4.0 files and objects
2. Find files created by DMA Locker 4.0 on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by DMA Locker 4.0

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share