What is DilmaLocker ransomware?
DilmaLocker ransowmare is a new ransomware-type of infection discovered by xXToffeeXx. Just like a typical ransomware infection, its main goal is to take over its victim’s computer and encrypt their files, holding them hostage in exchange for a ransom. This ransomware shares some similarities with BTCWare, Gryphon, Aleta ransomwares. Most ransomware infection like this one often uses the same types of attacks, encryption algorithm and the difference would be the amount of ransom it demands. It seems to mainly targets users from Brazil and Portugal based on its ransom note which is written in Portuguese.
How does DilmaLocker ransomware disseminate its infection and infiltrate the computer?
According to researchers, DilmaLocker might proliferate with the help of malicious spam emails and possible Remote Desktop Protocol or RDP attacks. DilmaLocker sends an email with a malicious attachment often adding a “catchy” subject to get its victim’s attention, open the email and download the corrupted attachment. The attachment may be a ZIP file or a macro-enabled Microsoft Word document used to launch its attack on the computer.
How does DilmaLocker execute its attack on a targeted computer?
As soon as DilmaLocker gets a hold of the computer, it starts to scan the computer’s directories for files to encrypt. During the encryption, it encrypts the files using the AES 256 cipher. It then appends the ._dilmaV1 extension on each file. After its successful encryption, it creates three more malicious files: RECUPERE_SEUS_ARQUIVOS.html, background.bmp and dilminha.dat. All these malicious files are placed on the desktop of your computer. It also opens a pop-up window and sets the .bmp file as the wallpaper on your desktop. Both the .bmp and HTML files contain its ransom message written in Portuguese.
“Oops, todos os seus arquivos foram criptografados!!!
Seus documentos: fotos, vídeos, bancos de dados e outros arquivos importantes foram criptografados utilizando o algoritmo AES de 256 bits (mesma criptografia utilizada pelo governo americano para proteger segredos de estado), ou seja, é impossível recuperar seus arquivos sem a senha correta!
Caso haja interesse em obter essa senha e recuperar seus arquivos, recomendamos que entre em contato e siga as instruções!
Em 4 dias seus arquivos serão DELETADOS!
Leia o arquivo ‘RECUPERE_SEUS_ARQUIVOS.html’ que foi criado em sua área de trabalho.
Contato: [email protected]”
How can you avoid ransomware infections like DilmaLocker?
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to the Process tab, look for DilmaLocker’s process and end it.
Step 3: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 4: Look for DilmaLocker ransomware or any malicious program and then Uninstall it.
Step 5: Tap the Win + E keys to open File Explorer.
Step 6: Go to the directories listed below and then look for the corrupted files such as RECUPERE_SEUS_ARQUIVOS.html, background.bmp, dilminha.dat and DILMA_LOCKER_v1.hta.
- %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
- %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that DilmaLocker ransomware created. So if you are not familiar with the Windows Registry skip to Step 9 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 7.
Step 7: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 8: Navigate to the following path:
Step 9: Delete the registry value named DECRYPTINFO as well as other suspicious registry value.
Step 10: Close the Registry Editor and empty the Recycle Bin.
Recover your encrypted files using their Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if DilmaLocker ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the DilmaLocker ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.