MadLocker/DMA Ransomware Removal Guide

MadLocker/DMA Ransomware is really bad news if it finds a way to your computer because this Trojan can encrypt your precious documents, images, and videos without your knowledge and extort money from you if you want to use those files again. Therefore, this malware infection is rather dangerous since it can practically destroy all your important files. Making backups of your most important files gains more importance when you learn about ransomware. If you had backups, you could easily restore these files without having to pay the ransom or trying to decrypt your files, which is practically impossible depending on the encryption method used. In certain cases it is possible to find even free tools to decrypt files, but, if you are not an experienced user, chances are you make more damage, if that is possible after losing your files. Unfortunately, even authentic antimalware applications cannot help with decrypting files; however, they can effectively prevent such Trojans and other infections from landing on your computer and creating chaos. This Trojan does not even change the extensions of the encrypted files, so you cannot catch it red handed. You will only realize it is on your computer when it finishes the encryption process and displays its pop-up alert window. It is important to remove MadLocker/DMA Ransomware as soon as you notice it on your PC even if your files have already been encrypted.

It seems that this ransomware is spreading in different languages. We have seen Polish and English versions as well. There are two main ways this Trojan can spread over the Internet: First, in spam e-mails as attachments or infected links and second, in malicious installers. Both of these methods can be avoided by being a more careful web surfer and observing some basic rules of browsing as you will see. For example, you should not ever open e-mails you get from unknown or suspicious senders. But, even if the sender seems known, you should be very careful clicking on links in the mail or opening attachments because it may result in MadLocker/DMA Ransomware or other Trojans landing on your computer.

As for malicious installers, you can download these from shady file-sharing websites, such as freeware and torrent sites. These websites mostly host unsafe third-party bundles that you can download by clicking on fake buttons and links, which are plenty on such pages. Therefore, you should stay away from unfamiliar sites if you do not want to end up with this Trojan or a bunch of other malware infections on board. If you are in doubt, it is best to run a free malware scanner on your computer. It can be an online scanner as well, but make sure that it is a reliable one before running it. The web is full of rogue and fake tools that can cause more harm than good.

When this Trojan finishes the encryption of your document, image, and video files, it will show you a red pop-up ransom note to inform you about the fact that your files have been “taken hostage.” You can only get them back if you pay 15 Bitcoins (as found in the English version of the ransom note), which is around $6500, so we may only infer that this ransomware mostly targets companies, which actually may have this kind of money for recovering important files. Normal computer users would never be likely to pay this insane amount. Other ransomware programs that target computer users usually ask for a couple of hundreds of dollars as a ransom fee. As a matter of fact, the Polish version does mention 1 Bitcoin as ransom fee, which is about $433. Nevertheless, whatever the amount is, we do not recommend paying it; you have no guarantee that these criminals will really release the decryption key for you.

This pop-up alert also shares some URLs with the infected user, such as securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom, which is an article on how even the FBI allegedly advises companies to pay the ransom if they want to regain access to their files, and en.wikipedia.org/wiki/Bitcoin, which explains about Bitcoin. The user is also given an e-mail address (dma457894538@seznam.cz) to contact the criminals by sending them an e-mail after which he is supposed to get a decryption key in return within 10 hours, which he needs to insert into the box provided in the pop-up.

MadLocker/DMA Ransomware uses a random-name executable file to operate through. If you want to stop this infection manually from working, first you need to delete the executable. In order to be able to identify it, you need to locate the following Windows Registry key, which will contain its name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cssys “C:\ProgramData\ fakturax.exe.” Delete this key and locate the executable in the C:\ProgramData folder, which in this case is called fakturax.exe. After deleting the file, you can restart your computer. Please follow our guide below if you need step-by-step assistance. Please note that deleting the wrong registry key might destabilize your operating system. Only go for manual removal if you are experienced enough. Keep in mind that even after restarting your PC, some mess may still remain after this infection, not to mention the possibility of other malware infections on board. Therefore, we advise you to implement a reliable antimalware application to clean your operating system and to protect it from further attacks.

Remove MadLocker/DMA Ransomware from Windows

1. Press Win+R and type in regedit to open the Windows Registry Editor.
2. Locate the following key and delete it: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cssys.
3. Close the Windows Registry Editor.
4. Press Win+E to open the File Explorer.
5. Locate the following file and delete it: C:\ProgramData\fakturax.exe (or any other file name you find in the registry key value).
6. Restart your computer.