DMA Locker is malware whose main purpose is to encrypt vital files on an infected computer’s hard drive as well as its portable drives connected to it. The files that have been encrypted become corrupt and they cannot be opened. In addition to that the locker leaves a ransom note with instructions on how to pay money in exchange for the restoration of the files. Users who have been affected by the virus are strongly advised to not pay anything to the cyber criminals since in this way they may fund their operation and it is no guarantee their files will be restored. It is strongly advisable to remove the threat and look for alternative methods of file decryption, instructions for which we have provided after this article.
|Short Description||The ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by DMA Locker |
Malware Removal Tool
|User Experience||Join our forum to Discuss DMA Locker.|
DMA Locker – How Did I Get Infected
One way to become a victim of this nasty cyber-threat is via third-party applications that may advertise malicious web links on your computer. The ransomware may also spread using other methods such malicious links featured in various spam messages. Furthermore, the ransomware may be distributed via several different types of spam email messages. Spam messages may resemble different reputable services, inviting users to either click on a malicious web ink or open a malicious e-mail attachment.
Symantec Security Response has confirmed that once it has been activated on a certain computer, the ransomware may create one or more files in:
The threat then may create the following folder:
What is more, the Trojan creates a registry entry with a value, allowing it to run every time with Windows:
→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”cssys” = “%AllUsersProfile%\ntserver.exe”
After this, the ransomware begins to encrypt user files that are of the most commonly used file extensions, without the ones below:
→ .bat .cmd .com .cpl .dll .exe .hta .lnk .msc .msi .msp .pif .scr .sys
Further, the user`s files have been successfully encrypted the ransomware may drop a ransom note, stating the following:
→ “All your important files (Hard Disks, Network Disks, USB) are encrypted.
The files are encrypted with asymmetric algorithm using AES-256 and RSA-2048 ciphers
Your files are not possible to recovery without decryption key which is located only in OUR database
Only way to recovery your files is to pay us 1500 USD in Bitcoin currency (3.5 BTC) instead of decryption key which allow you to recovery ALL your encrypted files.”
In addition to that it leaves a file, called DMA-Locker which has instructions on how to pay the ransom money. They also include a deadline for payment after which the decryption keys may be destroyed:
Remove Locky Ransomware and Restore .locky Encrypted Files
In order to remove this ransomware from your device it is advisable to isolate it first by disconnecting from the internet and backing up your data. After this you should follow the step-by-step instructions provided below. Furthermore, it is also recommended to use an advanced anti-malware software in order to discover all modified registries on your computer and other objects that may be associated with this malware.
UPDATE (February 3): Learn how to restore files encrypted by DMA Locker