Dilmalocker Ransomware

Posted by Lisa Blanc on September 14, 2017

What is Dilmalocker Ransomware?

Dilmalocker is a ransomware infection that can spread in multiple ways and affect unprotected operating systems in no time. Once installed the Dilmalocker ransomware encrypts files so that you cannot access them and displays a warning in which you are required to pay a considerable sum of money in order to have your files restored. It is highly important not to pay the ransom fee because the odds are that nobody will every bother to send you the decryption key or tool. Law enforcement highly recommends disregarding attackers' demands to pay and encourage people to implement measures that would prevent such incidents. The Dilmalocker ransomware is a dangerous threat that you should remove from the computer instead of following the instructions provided by the attackers behind this infection.

First off, the name Dilmalocker, which is also spelt Dilma Locker, refers to Dilma Rousseff, the 36st president of Brazil and the first female president. In 2016,  the president was impeached for manipulating the government budget and suspended from office. It is very likely that someone wanted to make fun of the politician and unsuspecting computer users and tarnish Rousseff's reputation. The ransom warning is written in Portuguese, which suggests that the developers are likely to be based Brazil or originate from  South America.

The attacker seems to be quite funny because the ransom message ends with a polite letter closing sentence and a comment saying that this type of crime is his or her option for getting by.

How does the Dilmalocker ransomware work?

Once on a PC, the Dilmalocker ransomware changes the desktop wallpaper and encrypts files. The names of the encrypted files are modified by adding the extension . __dilmaV1. The original file name remains intact. The ransom message is visible in the background image and in a .html file which is named " RECUPERE_SEUS_ARQUIVOS" (translation: RECOVER_YOUR_FILES). The infection also drops a copy of the same ransom note named DILMA_LOCKER_v1.hta in the %APPDATA% directory so that the ransom is displayed at the startup of the system. The file of the new background can be found as background.bmp on the desktop.

In the warning message, it is accentuated that files are encrypted using the 256-bit encryption which is used by the US government to protect sensitive information. In general, this type of encryption is used worldwide for protecting different types of valuable data. All that the attacker wants to achieve is to threaten the victims into paying up the release fee required, which is 3,000 Brazilian reals (BRL). The money is required to be paid in Bitcoin, but no Bitcoin wallet address is given in the warning. First, the user is supposed to  send the personal identifier created by the infection in the file dilminha.dat to the email address dilmaonion@keemail.com.

To win victims' trust, the attacker promises to decrypt one file of the victim's choice at no charge. The file selected must be up to 3 MB in size. The attacker also threatens to delete the files after 4 days.

How to prevent Dilmalocker?

Dilmalocker is an threat that can find its way to your computer in several ways, which also applies to many other threats. Spam emails, unsafe RDP configurations, malicious links, freeware sharing websites, and even social networking websites can function as malware distributors. You should be careful with questionable emails and installers of unknown software programs. Always pay attention to details and make sure that your operating system is protected.

How to remove the Dilmalocker ransomware?

In general, malware removal is a complex process because much knowledge of the field is necessary. In order to have a complex infection removed, it is highly advisable to use a reputable malware prevention tool, which can identify different types of threats. The Dilmalocker ransomware is one of those threats that drops a few files in different locations. If you want to try removing the Dilmalocker ransomware manually, follow our removal guide, but do not forget that it is advisable to scan the system afterwards so that no copies of the infection are left in the system.

Remove the Dilmalocker ransomware

  1. Delete the ransom note file and background.dmp left on the desktop.
  2. Use the Win+R command to check the following locations for the file DILMA_LOCKER_v1.hta and delete the file:
  • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
100% FREE spyware scan and
tested removal of Dilmalocker Ransomware*
Dilmalocker Ransomware
Dilmalocker Ransomware
Dilmalocker Ransomware
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *