If you found your files encrypted by DMA Locker ransomware, do not panic. This article will help you to decrypt DMA Locker files, without paying the ransom.
This is a new trojan-ransomware variant. After infiltrating a system by exploiting a user’s inattentive installation methods, it places its files in Documents and Settings then goes about encrypting user files. After completion, a ransom is demanded for the key (currently 2 Bitcoin/GBP 536) Don’t pay; read the following information carefully and stop DMA Locker. It was discovered in November 2015, in both English and Polish script. The grammar on the English ransom note appears (to this writer) to be a translation, indicating that the developer is not a native English speaker. Although this threat has a small circulation to date, already several technical upgrades have been made in the program, so it is one to watch for in the future.
There are several weaknesses in this malware that researchers have identified. The biggest is that the encryption key/process is very basic and can easily be cracked with the right procedure (see below). Effective evasion techniques are not built in. A later auto-run element does not always function which sometimes stops the infection from carrying out certain functions such as deleting possible backup sources like shadow volume files. Another vulnerability is that the key is carried in the infection and is only deleted after files are encrypted – though code that can enable cracking is present in the original affected file (which should be retained).
This malware is so badly coded that in some cases the program even crashes and renders the target system inoperable – another reason to delete DMA Locker. The professionals’ conclude is that this is the cut&paste job of a prospective hacker based on tried and tested ransomware. This does not mean, however that the user should be complacent about security – if this infestation was allowed to enter a system, then so could a much more proficient and professional version/variant. And even if this threat is manageable, while it’s in the operating system, it constitutes a very large vulnerability for another attack. Now it is discovered that the ransomware is flawed, this may only inspire the developer to either patch the program (a good student learns from mistakes!). Or, the author may feel foolish and decide to launch a secondary attack on systems already infected out of sheer spite. This is why it’s necessary to eradicate DMA Locker promptly.
How to detect and deal with DMA Locker
The quicker this infection is detected, the less trouble it will be to take care of and recover damaged files. Some ransomware is very good at evading all but the best anti-malware scanners, though as stated, this looks like a training exercise for a novice hacker so there shouldn’t be a problem. It doesn’t show advanced methods for evading analysis, though it’s important to know the manual signs to look for regarding trojan infections, should a variant slip by your security. Things to watch for to indicate its presence are system slowing, periodic though random screen-freezing and unprompted connections to the ‘net (some scanners may detect ‘aggressive’ and unusual amounts of traffic to ports). If you suspect that the infection is in your system, run software that specifically knows this ransomware, or look for personal files with unfamiliar extensions. If the malware is found: save the original contaminated file – this holds data to enable decryption. Backup all personal files – though check that extensions are unaltered. If there are external backup files stored, then a simple route is a reformat of the disk and re-install. If it’s necessary to remove DMA Locker, see instructions further below and find information about decryption at the link. After you uninstall DMA Locker, ensure that you don’t contract it or similar malware again…
How to decrypt DMA Locker files?
In order to successfully decrypt DMA Locker encrypted files, please follow as strictly as possible these steps:
Step 1: Download the free DMA Locker decrypter from here: http://emsi.at/DecryptDMALocker
Step 2: Double-click on decrypt-dmalocker.exe .
Step 3: Click “Yes” on “User Account Control” prompt.
Step 4: Click “Yes” to accept the “License Agreement“.
Step 5: Click “Add folder(s)” to include the folders, containing the encrypted files (to test the decrypter you may start with only one folder with few files).
Step 6: Click “Decrypt” button. The decryption process will start. Please, be very patient, since this may take long (depending how many files are in the queue). Do not turn-off the computer and prevent the system from going to sleep mode.
Step 7: When the decrypter is finished, you should find all your decrypted files back!
How to prevent DMA Locker
Contamination by this and all malware is preventable. Get to know the possible routes that it could enter your system and bear these in mind when operating. The most reported method of infection for this specimen so far is via an attachment in spam e-mails. Beware of pop-ups, especially offering free-ware updates. It could also possibly be bundled with freeware/pay-per-install downloads, so always use the most secure installation method, even if it takes a little longer, and observe any unwanted items before clicking. Be wary of unverified torrent downloads and peer-to-peer file-sharing and ‘sites with dubious content. Update your browser and place settings for maximum threat warning. Regularly check for patches available for the operating system. Secure all network and remote access. With careful attention, there is no reason to suffer the inconvenience and data-loss these programs threaten, though for added insurance, software to carry out regular scans and provide prior warning of threats is a good idea. Don’t fund this student’s bad education with your time or cash!
