Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Remove threats

 

Removing 'Police-themed' Ransomware

What is ransomware?
'Police-themed' ransomware
Removing 'police-themed' ransomware
  Automatic removal instructions
  Manual removal instructions
  Submitting samples

 

What is Ransomware?

'Ransomware' is a type of malware that attempts to extort money from a computer user by infecting and taking control of the victim's machine, or the files or documents stored on it. Typically, the ransomware will either 'lock' the computer to prevent normal usage, or encrypt the documents and files on it to prevent access to the saved data.

The ransom demand will then be displayed, usually either via a text file or as a webpage in the web browser. This type of malware leverages the victim's surprise, embarrassment and/or fear to push them into paying the ransom demanded.

Ransomware may arrive as part of another malware's payload, or may be delivered by an exploit kit such as Blackhole, which exploits vulnerabilities on the affected computer to silently install and execute the malware.

 

'Police-themed' ransomware

Though earlier ransomware samples we saw tended to be simple, blatant attempts at extortion, recent ones have been more subtle in design. In 2012, we saw multiple instances of 'police-themed' ransomware that cunningly disguise their ransom demands as official-looking warning messages from a local law enforcement agency. 

Samples of 'police-themed' ransomware from various countries (click the image for larger view)

 

The language used and the specific authority mentioned vary depending on the user's geographical location. Most of the police-themed ransomware seen so far targeted Western European countries, notably France, Germany, Finland and Italy.

The specific text of the ransom messages vary, but generally follow the same pattern - they claim that the user's computer is 'locked' after the police identified it as being used to visit websites related to terrorism or abuse and that payment of a 'fine' is required to settle the 'offense'. The amount of the supposed fine varies, and directions for paying it via anonymous, untraceable disposable cashcards are included.

In almost all cases, payment of the ransom still does not restore the computer to normal use. As such, we strongly recommend that no payment be made and that the user report the incident to the proper local authorities.

 

Removing 'police-themed' ransomware

We detect police-themed ransomware with multiple detections, including Trojan:W32/Reveton, Trojan:W32/Ransom and generics.

If 'police-themed' ransomware is installed on the system, it can be removed using a downloadable removal tool. For infections by Trojan:W32/Reveton and Trojan:W32/Urausy variants, manual removal is also possible.
 

Automatic Removal

In most cases, F-Secure's Online Scanner removal tool is able to remove the ransomeware, restoring normal access to the system.

 

Manual Removal

Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

Trojan:W32/Reveton and Trojan:W32/Urausy variants may also be manually removed from the machine, using the following instructions:

  1. Boot the system into 'Safe Mode with Command Prompt.' To do so:
    •  First, restart the system (Click Start, then Shut Down, select Restart in the drop-down dialog box that appears, then click OK).
    • As the computer restarts but before Windows launches, press F8.
    • Use the arrow keys to highlight 'Safe Mode with Command Prompt' and then press Enter.

  2. In the command prompt, type "regedit" and press Enter.

  3. Look for the following registry values and remove them.
    • For Reveton, delete the "ctfmon.exe" registry value from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


    • For Urausy, delete the "shell" registry value from HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon ONLY IF these two conditions are met:
      1. The "shell" registry value is located under HKEY_CURRENT_USER and NOT HKEY_LOCAL_MACHINE.

        WARNING! Deleting the "shell" value if it is listed under HKEY_LOCAL_MACHINE may break the Windows system. 
      2. There is a reference to a .dat file (e.g. skype.dat) in the value data.
  4. Reboot the system again, this time into Normal mode.
  5. Finally, run a full computer scan to repair any remaining files

 

Submitting Samples for analysis

If neither the automatic or manual removal instructions above successfully remove the ransomware, please send a sample of the ransomware file to our Security Labs for analysis.

To do so, please reboot your computer into Safe Mode (see instructions in the Manual Removal section above), and look for the suspect file; most commonly, ransomware is saved to one of the following locations:

  • C:\Programdata\(random alpha numerics).exe
  • C:\Users\(username)\0.(random numbers).exe
  • C:\Users\Username\AppData\(random alpha numerics).exe

Once found, please send the suspect file to our Sample Analysis System (SAS) for analysis.

 

 

 

Recommendations

DO NOT pay the 'fine' (ransom) demanded - in most cases, payment still does not restore  normal use

DO report the incident to the police

Removal instructions are on this page; additionally, CERT or law enforcement agencies in affected countries may have their own removal instructions available online

If full dsinfection is not possible, consider reverting the system to the last saved  configuration with System Restore, or reformating/reinstalling it from backed up files

Online Scanner

 Scan and clean your PC