DMA Locker 4.0 Ransomware prepares for attack!

Since it first appeared, DMA Locker has evolved significantly.

One threat died down, but many more are coming. Ransomware continues to trouble users and to challenge security researchers with ever increasing activity this year. Shortly after the creators of the famous TeslaCrypt have closed down their malicious script, there is another ransomware that is ready to take its place. 

This type of online blackmailing and robbery keeps being popular and rarely comes down from the news headlines. Security researchers are warning that a group of hackers is preparing a massive distribution of another malware called DMA Locker.

Why would TeslaCrypt shut down and Release the Master Decryption Key?

Now, DMA Locker is not a new star in the malware family by any means. This threat was first detected in January, but back then, its encryption had so many flaws, that it was not considered a significant threat. Researchers with ease developed file recovery tools for the first two versions of the Ransomware. 

However, in its new version 4.0, DMA Locker have improved many of the flaws and this time, would really challenge security experts and users alike. It seems that the creators have been “working” really hard over the past several months, upgrading their ransomware into a much more complex malware.

DMA Locker Version 4.0 is no longer easily decryptable and is using new methods of distribution.


DMA Locker 4.0 ransomware hides as a PDF file type of icon in your computer. It no longer encrypts files offline, instead, it downloads a public RSA key from a command and control (C&C) server. This means that the ransomware cannot encrypt files until the compromised computer is connected to the internet.

When a machine is infected, DMA Locker moves to C:\ProgramData under the name svchosd.exe. It also places two additional files, select.bat, and cryptinfo.txt and adds registry keys. When the entire process of the encryption gets completed, a red ransom note window appears on the screen. It displays the version in the top-left corner, offers users to decrypt a test file, and contains a link to a tutorial.

The victims of DMA Locker 4.0 are then directed to a website that is not Tor-based and which uses the same IP for the C&C server as well. However, researchers suggest that the website is still under development since there are some issues with the links at the moment.

DMA Locker 4.0 Ransomware File Encryption Removal

Another big change is that the new ransomware version uses an individual AES key for every single encrypted file. This key is encrypted using the RSA key generated from the C&C server and then applied to the file. An underground crypter is used to pack DMA Locker 4.0. in order to keep the payload protected and to avoid detection. The payment is fully automated with a payment management system.

Since it first appeared in the beginning of this year, DMA Locker has evolved significantly. Security experts assume that with these multiple improvements, this new threat is ready to attack users on a wider range. How to keep yourself safe? As we always say, the best protection against ransomware programs is prevention. It is a good idea to regularly save backups of all your precious data. You can invest in a USB or portable hard disc where you can store all your important information safely. Also, following the basic online security rules would surely keep you away from any other malware available on the web. Don’t neglect your safety.