MadLocker/DMA Ransomware

What is MadLocker/DMA Ransomware?

If your Windows operating system has been infected with MadLocker/DMA Ransomware, you either do not have proper security software to protect your PC or you clicked on something you should not have. This “something” can be an e-mail attachment or an unsafe link on a shady file-sharing website. Understanding how this dangerous Trojan infection can penetrate your system can help you protect your PC from similar attacks in the future. According to our malware specialists at anti-spyware-101.com, this ransomware can encrypt your most precious files, such as images, videos, and documents as well, which you may only realize once it is all done and it is too late to stop this malware. It is very important to remove MadLocker/DMA Ransomware right after you notice its presence on your computer. Let us tell you in more detail about this infection so that you understand what you are up against and how you can sort out this major hit on your personal files and operating system.

Where does MadLocker/DMA Ransomware come from?

As research shows, this Trojan may come from two sources. First, one of the most frequently used methods for distributing ransomware is spam e-mail attachments. This means that in order to infect your computer, it is enough for you to open a spam e-mail and click on its attachment, which is usually an image or video file, but in certain cases it can also be a document with macro capabilities. It is also possible that you will find a link in the body of this spam e-mail, which will trigger the download of this Trojan in the background. Therefore, we advise you to be very careful whenever you are checking your e-mails. You may think that the time of spam e-mails have passed because the filters nowadays can practically weed out most of them. But, even if one of these mails ends up in your inbox, it could be disastrous for you. It is vital that you do not open e-mails from unfamiliar senders or even if the sender seems familiar be very careful opening any attachments or clicking on any links included in the body.

Second, this Trojan can also be found bundled with malicious software installers. If you have infected your computer with this version of this ransomware, it means that you either have visited unsafe websites, such as freeware, torrent, or pornographic sites and clicked on a third-party advertisement or a fake button, or you clicked on an unreliable third-party ad displayed by an adware infection. The latter case suggests that your computer had already been infected with malware previously. So either way, you may be facing multiple threats right now, of which most probably this Trojan is the most dangerous.

How does MadLocker/DMA Ransomware work?

The main goal of this infection is that you do not realize that you have been infected until it displays its ransom note because, otherwise, you might have a few-minute window to stop this beast from encrypting and thus destroying your files, if you are really fast. But this mostly takes less than a minute as most ransomware programs use the built-in Windows encryption systems. Once this ransomware sets itself up, it will silently start to encrypt your personal files, which may take some time. If you could catch it in the act, you would still have a chance to kill it and save at least some of your files. However, this Trojan does not seem to add any particular extension to the encrypted files, so there is no way you could really spot it.

It is most likely that the first time you know about its presence will be when it shows you its red alert window. In this pop-up you will see all kinds of information. First, you are told that your precious files have been the victims of encryption, which can only be restored if you pay the 1 Bitcoin ($433) ransom fee as detailed below in the window. You can also find some information about what DMA-locker is and how it works if you click on a button; although, the link will route you to this page: securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom, which is an article about how even the FBI tries to convince infected companies to pay the ransom if they want to ever use their files. Furthermore, you will find another button, which informs you about Bitcoin itself, and takes you to en.wikipedia.org/wiki/Bitcoin.

After you have made the transfer, you are supposed to contact the criminals behind this scam by e-mail (dma457894538@seznam.cz), and you will be allegedly given a decryption key. If you insert this key into the box at the bottom of this alert window and click on the Unlock Files button, your files should be restored. However, we must warn you that you are dealing with cyber criminals here, and the chance of getting nothing or a non-working decryption key in return for your money is quite high. Our researchers could not confirm the type of encryption method used by this ransomware; therefore it is hard to say if you have any possibility to decrypt your files otherwise, for example, using a free decryption tool, which might help in certain cases. What we can tell you from our experience is that most of the time it is impossible to restore the files encrypted by Trojan ransomware programs.

While this may sound catastrophic, the truth is, it clearly emphasizes the importance of backups. It is essential to save your most important files from time to time on an external drive. In such a malware attack you could easily copy your files back onto your hard drive. However, if you have your backup, before transferring your files, you must make sure that your computer is all clean. Therefore, it is vital to remove MadLocker/DMA Ransomware and any other malware threats you may find.

How do I remove MadLocker/DMA Ransomware?

You have two choices when it comes to eliminating this current threat. First, if you are an experienced user, you may try to manually delete this Trojan. Since it may use a random-name executable file to operate through, first you need to identify it by looking it up in the Windows Registry. Once you delete the right registry key, you can get rid of the file itself as well, which you will find in the C:\ProgramData folder. Keep in mind that this folder may be hidden by default, so first you will have to change your folder view settings to show hidden items. Please use our guide below and follow the steps carefully. You should know that deleting or modifying the wrong registry keys and values may lead to irreparable damage to your operating system. Also, keep in mind that the manual removal of Trojans might leave a mess or even leftovers behind. Second, you can always use a reliable antimalware application that not only will take care of this Trojan and any other infections present, but it will also protect your PC from future threats.

Show hidden items in Windows File Explorer

Windows 8/Windows 8.1/Windows 10

1. Tap Win+E.
2. Click on the View menu and check the Hidden items checkbox.

Windows Vista/Windows 7

1. Tap Win+E.
2. Click on the Organize button and choose Folder and search options.
3. Click on the View tab.
4. Select Show hidden files and folders.
5. Click OK.

Windows XP

1. Tap Win+E.
2. Select Tools menu.
3. Click Folder Options.
4. Choose the View tab.
5. Select Show hidden files and folders.
6. Click OK.

MadLocker/DMA Ransomware Removal from Windows

1. Tap Win+R and enter regedit. Hit OK.
2. Locate HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cssys and remove it.
3. Exit the Windows Registry Editor.
4. Tap Win+E to launch the Windows File Explorer and make sure that the view settings of your C:\ directory is set to show hidden items.
5. Go to C:\ProgramData folder, select ntserver.exe or the file name you find in the above registry key as value.
6. Delete the file.
7. Restart your operating system.

Download Removal Tool100% FREE spyware scan and
tested removal of MadLocker/DMA Ransomware*