DMA Locker (Virus Removal Guide)
DMA Locker virus is new ransomware that was recently analyzed by Malwarebytes malware analysts. DMA Locker infects computer systems and encrypts personal files. DMA Locker ransomware is usually distributed as en email attachment. Once the DMA Locker virus has been contracted it will restrict access to the machine and perform various tasks to encrypt files that match certain extensions. It will then provide a ransom note with instructions detailing how to decrypt files and maintain regular access.
DMA Locker ransomware encrypts personal computer data using AES encryption and then demands 4 bitcoins in order to receive a decryption key.
DMA Locker will encrypt most non-system and non-executable related files that it finds on your system but it does not seek out specific file extensions like most ransomware. Most ransomware target specific file extensions. DMA Locker simply has a “white list” of folders and extensions that it will not encrypt.
Folders: Windows, Program Files (x86), Games, Temp, Sample Pictures, Sample Music, cache
Extensions: .exe, .msi, .dll, .pif, .scr, .sys, .msp.com, .lnk, .hta, .cpl, .msc, .bat, .cmd
Another uncommon symptom of this infection is that DMA Locker can target computers on a network. It has the ability to encrypt data on unmapped network shares.
Once DMA Locker ransomware has encrypted the files on your computer, it will show you a lock screen that contains instructions explaining how to pay the ransom and decrypt your files. The ransomware is saved in this path: C:\ProgramData\cryptinfo.txt and the note will be shown to you every time you log into your computer.
Tricking DMA Locker
A malware analyst at Malwarebytes discovered a way to trick DMA Locker into thinking the files on your computer have already encrypted. To do this create files named decrypting.txt and start.txt and place them in the ProgramData and Documents and Settings folders. The files you create do not need to contain anything. They just need to exist on your machine and be placed into the correct directories. These files can be created with MS Notepad or another Word Processor.
This is what it should look like:
C:\ProgramData\decrypting.txt C:\ProgramData\start.txt C:\Documents and Settings\All Users\decrypting.txt C:\Documents and Settings\All Users\start.txt
DMA Locker files
DMA Locker will install files onto a machine that it infects. These files are listed below:
C:\ProgramData\cryptinfo.txt C:\ProgramData\date_1.txt C:\ProgramData\decrypting.txt C:\ProgramData\ntserver.exe C:\ProgramData\start.txt
DMA Locker registry entries
DMA Locker will create registry entries on a machine that it infects. These registry entries are listed below:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cryptedinfo notepad c:\ProgramData\cryptinfo.txt HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cssys C:\ProgramData\ntserver.exe
How to decrypt DMA Locker
If you are infected with earlier versions of DMA Locker you might be able to decrypt your files using a decrypter created by Fabian Wosar of Emsisoft.
I whipped up a decrypter for the one DMA Locker variant I found that didn’t have its key wiped: https://t.co/t3TAXbIxrN Enjoy 🙂
— Fabian Wosar (@fwosar) February 5, 2016
1. Download decrypt_DMA Locker.exe and save it on your desktop:
2. Double-click the executable file to open the program and click the Yes button to proceed.
3. Click Yes if you accept the license agreement to continue.
4. Add the drives you want to decrypt and then click on the Decrypt button to begin the decryption process.
How to remove DMA Locker ransomware
2. Open Malwarebytes and click the large blue Scan Now button to begin a scan.
3. Once the scan is complete click the Remove Selected button and Finish button afterwards. If Malwarebytes suggests that you restart your computer please do so.
5. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.
6. When the HitmanPro scan is complete click the Next button and then click the Reboot button. *To activate the free version of HitmanPro: enter your email address twice and click the Activate button.
8. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.
9. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.
10. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.