Removing 'Police-themed' Ransomware
'Ransomware' is a type of malware that attempts to extort money from a computer user by infecting and taking control of the victim's machine, or the files or documents stored on it. Typically, the ransomware will either 'lock' the computer to prevent normal usage, or encrypt the documents and files on it to prevent access to the saved data.
The ransom demand will then be displayed, usually either via a text file or as a webpage in the web browser. This type of malware leverages the victim's surprise, embarrassment and/or fear to push them into paying the ransom demanded.
Ransomware may arrive as part of another malware's payload, or may be delivered by an exploit kit such as Blackhole, which exploits vulnerabilities on the affected computer to silently install and execute the malware.
Though earlier ransomware samples we saw tended to be simple, blatant attempts at extortion, recent ones have been more subtle in design. In 2012, we saw multiple instances of 'police-themed' ransomware that cunningly disguise their ransom demands as official-looking warning messages from a local law enforcement agency.
The language used and the specific authority mentioned vary depending on the user's geographical location. Most of the police-themed ransomware seen so far targeted Western European countries, notably France, Germany, Finland and Italy.
The specific text of the ransom messages vary, but generally follow the same pattern - they claim that the user's computer is 'locked' after the police identified it as being used to visit websites related to terrorism or abuse and that payment of a 'fine' is required to settle the 'offense'. The amount of the supposed fine varies, and directions for paying it via anonymous, untraceable disposable cashcards are included.
In almost all cases, payment of the ransom still does not restore the computer to normal use. As such, we strongly recommend that no payment be made and that the user report the incident to the proper local authorities.
If 'police-themed' ransomware is installed on the system, it can be removed using a downloadable removal tool. For infections by Trojan:W32/Reveton variants, manual removal is also possible.
In most cases, F-Secure's Easy Clean removal tool is able to remove the ransomeware, restoring normal access to the system.
Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.
Trojan:W32/Reveton variants may also be manually removed from the machine, using the following instructions:
- Boot the system into Safe Mode. To do so:
- First, restart the system (Click Start, then Shut Down, select Restart in the drop-down dialog box that appears, then click OK).
- As the computer restarts but before Windows launches, press F8.
- Use the arrow keys to highlight 'Safe Mode' and then press Enter.
- In Safe Mode, find the file ctfmon.lnk in the Startup folder (C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Program\Startup\ctfmon.lnk) and delete it.
- Reboot the system again, this time into Normal mode.
- Finally, run a full computer scan to repair any remaining files
If neither the automatic or manual removal instructions above successfully remove the ransomware, please send a sample of the ransomware file to our Security Labs for analysis.
To do so, please reboot your computer into Safe Mode (see instructions in the Manual Removal section above), and look for the suspect file; most commonly, ransomware is saved to one of the following locations:
- C:\Programdata\(random alpha numerics).exe
- C:\Users\(username)\0.(random numbers).exe
- C:\Users\Username\AppData\(random alpha numerics).exe
Once found, please send the suspect file to our Sample Analysis System (SAS) for analysis.
• DO NOT pay the 'fine' (ransom) demanded - in most cases, payment still does not restore normal use
• DO report the incident to the police
• Removal instructions are on this page; additionally, CERT or law enforcement agencies in affected countries may have their own removal instructions available online
• If full dsinfection is not possible, consider reverting the system to the last saved configuration with System Restore, or reformating/reinstalling it from backed up files