DMA-Locker virus Removal Guide
What is DMA-Locker ransomware?
What is known about DMA-Locker ransomware virus?
DMA Locker virus (also known as MadLocker ransomware) is dangerous computer infection that takes user’s files to hostage and then asks to pay the ransom. The virus is supposed to be a new version of powerful cyber threat – CryptoLocker virus. Compared to other active ransomware viruses, it has two dangerous and threatening features – it has a Direct memory access (DMA) and asks for enormous ransom for file decryption. Usually, ransomware launches their attacks and rely on their success only by a dropped malicious file on an infected computer. DMA-Locker virus operates on directly in affected computer’s memory. Virus researchers spotted this virus at the beginning of 2016, and since then, hackers have already updated malware several times. Malware can step into a computer as a Trojan horse or might be delivered in malicious spam email. Once inside, it starts scanning computer’s system and looking for important files. Then, it encrypts them using strong algorithm and appends !XTPLOCK5.0 file extension. Virus corrupts the files and makes them useless unless a victim will purchase a decryption key for 15 Bitcoins ($7000). This time hackers became greedy and asked at least five times more money than other cyber criminals. Usually, the ransom varies from 1 to 3 Bitcoins, which is also a huge sum of money. However, we strongly discourage from paying the ransom. No one can guarantee that crooks will help you to get your files back. Instead of looking for money, remove DMA-Locker from the system. For virus elimination you have to employ an anti-malware program, for example, ReimageIntego. It finds and deletes all malicious files related to this threat.
For data encryption ransomware uses combined AES and RSA chippers. It targets personal files that are located on PC and network devices. DMA Locker ransomware encrypts various video, image, text and other types of files, for example: .xls, .tif ,.gif, .png, .jpg, .jpeg, ,.bmp, .raw, .max ,.accdb ,.db ,.dbf, .3dm, .mdb, .sql, .wma ,.ra ,.avi, .mov, .3g2, .pdb, .mp4 ,.3gp, .asf ,.asx, .mpeg, .pdf. After the attack, in each folder that stores corrupted files, you will find a ransom note in .txt and .html formats. Both of them include the same scary information and try to swindle a huge amount of money:
The only way to get your files back is to pay us for unique decryption key. Otherwise, your files will be lost.
Cyber criminals are not worth trusting. Even if hackers provide necessary decryption software, you might also get additional malware with it. After the attack, you should concentrate on DMA Locker removal. Bear in mind that data decryption is not recommended while malware residents in the system. Ransomware might encrypt your files again and ask for more money. Besides, there’s no need to consider paying the ransom, because there are free decryption tools that are created for recovering corrupted data.
Variants of DMA-Locker virus
DMA Locker 3.0. This version of ransomware was discovered in February 2016. It showed up right after IT experts had discovered a DMA Locker decryption tool. Surprisingly, they moved from the first version straight to the third version, which is known to rely on the AES-256 algorithm. Beware that DMA Locker 3 targets a wide range of files and can easily encrypt various documents, images, audio and video files and image file. When it comes to infiltration, the virus uses a trojan horse that infects computers as a legitimate attachment to an email message. The DMA Locker 3.0 decrypt key costs around 4 BTC.
DMA Locker 4.0. The fourth version of DMA Locker was released in May 2016. Reportedly, it spreads via Neutrino Exploit Kit and encrypts a wide range of victims’ files. This version of DMA-Locker virus demands 3 BTC in exchange for the decryption key and promises to increase the ransom if the victim fails to pay the ransom within the given period. Once the time passes, virus increases the amount of ransom to 4.5 BTC. Unfortunately, cyber security experts haven’t presented a DMA Locker 4 decrypt tool, but we hope to see it soon. In the meanwhile, you should make sure that you have extra copies of your most valuable files to prevent their loss.
How does this cyber threat spread?
You can get infected by this virus in case you tend to explore dangerous content on the internet. You have to keep in mind that cyber criminals develop various ways to enter users’ computers. So you have to be prepared and be wary of prevention ways.
- Most commonly, ransomware threats are being spread via malicious e-mails, which contain deceptive attachments. They might look like ordinary documents, PDFs, and other regular files. However, such attachments hold infectious self-extracting components. You should never open such e-mails or attachments!
- Bear in mind that developers of DMA-Locker virus use social engineering tactics, so their messages might be very convincing and persuasive. So, it’s easy tricked by the criminals!
- Viruses might also spread via rogue websites. Do not click on doubtful links on web pages full of gambling and pornographic content.
- Install software on your computer ONLY using “Advanced/Custom” settings and untick suspicious add-ons.
DMA-Locker elimination guide
You need to remove DMA-Locker virus before attempting to do anything else. You must eliminate it completely to be sure that it will not cause harm to your system later. That is why we strongly recommend you to remove DMA Locker automatically. Automatical removal requires employing strong and reputable anti-malware tools such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes. Of course, you can use another antivirus program that you prefer. However, sometimes ransomware might block access to security tools or prevent from scanning computer’s system. Below the article you will find instructions how to solve this issue and run the program.
After DMA Locker removal, you can get your files back from a backup, or decrypt them with this DMA Locker decryption tool. If this one doesn’t work, try this DMA Locker decryptor. Use these tools or plug your backup device into your PC only AFTER you remove the virus.
Getting rid of DMA-Locker virus. Follow these steps
Manual removal using Safe Mode
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove DMA-Locker using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of DMA-Locker. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove DMA-Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
For data recovery, you can use either DMA Locker decryption tool or DMA Locker decryptor. Bear in mind that paying the ransom to the crooks is not an option! However, if these tools do not work for you, you can try using additional methods that are presented bellow.
If your files are encrypted by DMA-Locker, you can use several methods to restore them:
Data Recovery Pro and data decryption
This tool is created for restoring missing and corrupted files after system wreckage. However, it can still be useful for retrieving files corrupted by the ransomware.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by DMA-Locker ransomware;
- Restore them.
Restoring individual files using Windows Previous Versions feature
If you have previously enabled System Restore function, you can try to restore individual files using Windows Previous Versions feature. However, if System Restore hasn’t been enabled before the attack, this method won’t work for you.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Take advantage of ShadowExplorer
Some victims of the ransomware claim that SadowExplorer helped to restore at least some of their files. If DMA Locker decryptors are not working for you, give this additional data recovery method a try.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DMA-Locker and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.