Infected with DMA-Locker? Need to decrypt your files?

What is DMA-Locker

DMA-Locker or MadLocker is a ransomware that silently sneaks into your PC and makes it a disaster. After it has found a way to get on your computer, DMA-Locker starts searching the hard drives for important and mostly used files. Alongside with it, the ransomware displays a notification with detailed explanation of what has happened and with instruction for the user. It states that the files were hijacked and encrypted with unique code, which makes them unacceptable without Master Key that can be purchased. Mainly this message contains information on methods of payment, which equals 15 Bitcoins. The ransom is surprisingly high, since other similar programs demand about 0.5-1.5 Bitcoins. You should think before paying such amount of money, because nobody can guarantee the safe restoration of your files even if you buy the key. The wiser solution is trying to remove DMA-Locker and retrieve the files first.

Update 2 (May 20, 2016): New version of this virus (DMA Locker 4.0) creates files with instructions cryptinfo.txt and does not add any extensions. Instead it adds string !DMALOCK4 to the first 9 bytes of encrypted files.

Update 1 (28 April 2016): New version DMA Locker 3.0 have increased amount of ransom – 4 BTC. It adds !DMALOCK3.0 prefix to all encrypted files.

dma-locker ransomware virus

How DMA-Locker infected your PC

In large part, threats like DMA-Locker use weak spots in security systems to infiltrate systems. That’s why disabled Firewalls and Security Settings may become a cause for getting DMA-Locker. It also applies to ignoring the need to update your antivirus. Without this defense line the computer becomes extremely vulnerable to infections. Another potential source of DMA-Locker spreading is p2p sharing and spam emails. In both cases you should scan every file you get. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.
First of all don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the DMA-Locker virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to DMA-Locker – files, folders, registry keys.


Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of DMA-Locker:

Remove following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cryptedinfo notepad c:\ProgramData\cryptinfo.txt
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cssys C:\ProgramData\ntserver.exe

Remove following files:


How to decrypt files infected by DMA-Locker (!DMALOCK4.0 files)?

Use automated decryption tools

Choose your version of decryptor or try all:

emsisoft decryptor for DMA-Locker 2

There is ransomware decryptor from Emsisoft for second version of DMA Locker that can decrypt !DMALOCK4.0 files. It is free and may help you restore !DMALOCK4.0 files by DMA-Locker virus. Download it here:

Download Emsisoft DMA Locker 2 Decryptor

emsisoft decryptor for DMA-Locker 1

There is ransomware decryptor from Emsisoft for first version of DMA Locker that can decrypt !DMALOCK4.0 files. It is free and may help you restore !DMALOCK4.0 files by DMA-Locker virus. Download it here:

Download Emsisoft DMA Locker Decryptor

You can also try to use manual methods to restore and decrypt !DMALOCK4.0 files.

Decrypt !DMALOCK4.0 files manually

Restore the system using System Restore

system restore

Although, latest versions of DMA-Locker remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – DMA-Locker by DMA-Locker). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .!DMALOCK4.0 files using shadow copies

shadow explorer gui

  1. Download and run Shadow Explorer.
  2. Select the drive and folder where your files are located and date that you want to restore them from.
  3. Right-click on folder you want to restore and select Export.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your computer from ransomware

hitmanpro alert with cryptoguard

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Information provided by: Alexey Abalmasov