Remove DMA Locker and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove DMA Locker and Restore Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

DMA Locker is malware whose main purpose is to encrypt vital files on an infected computer’s hard drive as well as its portable drives connected to it. The files that have been encrypted become corrupt and they cannot be opened. In addition to that the locker leaves a ransom note with instructions on how to pay money in exchange for the restoration of the files. Users who have been affected by the virus are strongly advised to not pay anything to the cyber criminals since in this way they may fund their operation and it is no guarantee their files will be restored. It is strongly advisable to remove the threat and look for alternative methods of file decryption, instructions for which we have provided after this article.

Threat Summary

NameDMA Locker
Short DescriptionThe ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by DMA Locker


Malware Removal Tool

User ExperienceJoin our forum to Discuss DMA Locker.

DMA Locker – How Did I Get Infected

One way to become a victim of this nasty cyber-threat is via third-party applications that may advertise malicious web links on your computer. The ransomware may also spread using other methods such malicious links featured in various spam messages. Furthermore, the ransomware may be distributed via several different types of spam email messages. Spam messages may resemble different reputable services, inviting users to either click on a malicious web ink or open a malicious e-mail attachment.

Symantec Security Response has confirmed that once it has been activated on a certain computer, the ransomware may create one or more files in:


The threat then may create the following folder:


What is more, the Trojan creates a registry entry with a value, allowing it to run every time with Windows:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”cssys” = “%AllUsersProfile%\ntserver.exe”

After this, the ransomware begins to encrypt user files that are of the most commonly used file extensions, without the ones below:

.bat .cmd .com .cpl .dll .exe .hta .lnk .msc .msi .msp .pif .scr .sys

Further, the user`s files have been successfully encrypted the ransomware may drop a ransom note, stating the following:

“All your important files (Hard Disks, Network Disks, USB) are encrypted.
The files are encrypted with asymmetric algorithm using AES-256 and RSA-2048 ciphers
Your files are not possible to recovery without decryption key which is located only in OUR database
Only way to recovery your files is to pay us 1500 USD in Bitcoin currency (3.5 BTC) instead of decryption key which allow you to recovery ALL your encrypted files.”

In addition to that it leaves a file, called DMA-Locker which has instructions on how to pay the ransom money. They also include a deadline for payment after which the decryption keys may be destroyed:

dma-locker-file-sensorstechforumSource: Symantec

Remove Locky Ransomware and Restore .locky Encrypted Files

In order to remove this ransomware from your device it is advisable to isolate it first by disconnecting from the internet and backing up your data. After this you should follow the step-by-step instructions provided below. Furthermore, it is also recommended to use an advanced anti-malware software in order to discover all modified registries on your computer and other objects that may be associated with this malware.

UPDATE (February 3): Learn how to restore files encrypted by DMA Locker


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share