Eng en

Select Country or Region

Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

You are here: How To Remove threats Removal Instructions Removing police-themed ransomware

Remove threats

 

Removing 'Police-themed' Ransomware

What is ransomware?
'Police-themed' ransomware
Removing 'police-themed' ransomware
  Automatic removal instructions
  Manual removal instructions
  Submitting samples

 

What is Ransomware?

'Ransomware' is a type of malware that attempts to extort money from a computer user by infecting and taking control of the victim's machine, or the files or documents stored on it. Typically, the ransomware will either 'lock' the computer to prevent normal usage, or encrypt the documents and files on it to prevent access to the saved data.

The ransom demand will then be displayed, usually either via a text file or as a webpage in the web browser. This type of malware leverages the victim's surprise, embarrassment and/or fear to push them into paying the ransom demanded.

Ransomware may arrive as part of another malware's payload, or may be delivered by an exploit kit such as Blackhole, which exploits vulnerabilities on the affected computer to silently install and execute the malware.

 

'Police-themed' ransomware

Though earlier ransomware samples we saw tended to be simple, blatant attempts at extortion, recent ones have been more subtle in design. In 2012, we saw multiple instances of 'police-themed' ransomware that cunningly disguise their ransom demands as official-looking warning messages from a local law enforcement agency. 

Samples of 'police-themed' ransomware from various countries (click the image for larger view)

 

The language used and the specific authority mentioned vary depending on the user's geographical location. Most of the police-themed ransomware seen so far targeted Western European countries, notably France, Germany, Finland and Italy.

The specific text of the ransom messages vary, but generally follow the same pattern - they claim that the user's computer is 'locked' after the police identified it as being used to visit websites related to terrorism or abuse and that payment of a 'fine' is required to settle the 'offense'. The amount of the supposed fine varies, and directions for paying it via anonymous, untraceable disposable cashcards are included.

In almost all cases, payment of the ransom still does not restore the computer to normal use. As such, we strongly recommend that no payment be made and that the user report the incident to the proper local authorities.

 

Removing 'police-themed' ransomware

We detect police-themed ransomware with multiple detections, including Trojan:W32/Reveton, Trojan:W32/Ransom and generics.

If 'police-themed' ransomware is installed on the system, it can be removed using a downloadable removal tool. For infections by Trojan:W32/Reveton variants, manual removal is also possible.
 

Automatic Removal

In most cases, F-Secure's Online Scanner removal tool is able to remove the ransomeware, restoring normal access to the system.

 

Manual Removal

Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

Trojan:W32/Reveton variants may also be manually removed from the machine, using the following instructions:

  1. Boot the system into Safe Mode. To do so:

    •  First, restart the system (Click Start, then Shut Down, select Restart in the drop-down dialog box that appears, then click OK).
    • As the computer restarts but before Windows launches, press F8.
    • Use the arrow keys to highlight 'Safe Mode' and then press Enter.



  2. In Safe Mode, find the file ctfmon.lnk in the Startup folder (C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Program\Startup\ctfmon.lnk) and delete it.

  3. Reboot the system again, this time into Normal mode.
  4. Finally, run a full computer scan to repair any remaining files

 

Submitting Samples for analysis

If neither the automatic or manual removal instructions above successfully remove the ransomware, please send a sample of the ransomware file to our Security Labs for analysis.

To do so, please reboot your computer into Safe Mode (see instructions in the Manual Removal section above), and look for the suspect file; most commonly, ransomware is saved to one of the following locations:

  • C:\Programdata\(random alpha numerics).exe
  • C:\Users\(username)\0.(random numbers).exe
  • C:\Users\Username\AppData\(random alpha numerics).exe

Once found, please send the suspect file to our Sample Analysis System (SAS) for analysis.

 

 

 

Recommendations

DO NOT pay the 'fine' (ransom) demanded - in most cases, payment still does not restore  normal use

DO report the incident to the police

Removal instructions are on this page; additionally, CERT or law enforcement agencies in affected countries may have their own removal instructions available online

If full dsinfection is not possible, consider reverting the system to the last saved  configuration with System Restore, or reformating/reinstalling it from backed up files

Online Scanner

 Scan and clean your PC

 

Find out more