Removal Instructions

Removing 'Police-themed' Ransomware


Ransomware is a type of harmful program that extorts money from a user by taking control of their device or data, then demanding a ransom for its return. 'Police-themed' ransomware disguise their ransom demands as official-looking warning messages from a local law enforcement agency.

The criminals responsible for ransomware usually distribute them using trojans or exploit kits. When it is run on a computer or device, the ransomware will first try and 'lock' or encrypt the device or its contents. Next, the ransom demand is displayed, usually in a text file or a webpage. Some ransomware also change the desktop background to display the demand.

If the affected device or data is confidential, business-critical or irreplaceable, the impact of a ransomware infection can be very disruptive. Ransomware exploit the user's shock, embarrassment and fear to pressure them into paying the ransom demanded.

Examples of 'police-themed' ransom demands

'Police-themed' ransom demand

Though earlier ransomware samples we saw tended to be simple, blatant attempts at extortion, recent ones have been more subtle in design.

From 2012 onwards, we started seeing ransomware using the names, visual images and language of various law enforcement agencies to make their ransom demands look like official writs, usually regarding some alleged offense that the user supposedly committed.

The details of the ransom demand vary depending on the user's geographical location. The most notable examples have come from Western European countries, notably France, Germany, Finland and Italy, but other countries have also reported instances of such ransomware.

While the actuals text of the demands vary, they generally follow the same pattern:

  1. Claim that the computer or device has been 'locked' after the authorities identified it as being used to visit websites related to:
    • terrorism or
    • Child abuse or
    • Pornography
  2. Display the device's IP address and other details
  3. Claim that payment of a 'fine' is required to settle the 'offense'.
  4. Provide instructions for paying the 'fine' using cash cards, vouchers or other payment methods that are difficult to trace

Should you pay the demand?

Security researchers and law enforcement authorities strongly recommend that affected user do not pay the ransom demand. There is no guarantee that payment will restore the affected device or data.

The recommended course of action is that the user report the incident to the proper local authorities, disinfect the affected device and restore the affected data from clean backups.

In some of the cases reported to legitimate authorities however, losing control of the affected device or data has been so disruptive that the users have chosen to pay the ransom demand. This has been especially true of businesses and individuals who have no clean backups to recover from, or who have critical business machines affected by the ransomware.

Of course, it is likely that many affected users do not report an infection or ransom payment to the authorities at all.

Responding to a ransomware infection

If the worst happens and ransomware does infect your device, there are a couple of steps you can take to contain the damage:

  • IMMEDIATELY disconnect the affected device or devices from the local network and/or the Internet. Doing so prevents the infection from spreading to other connected devices.
  • Scan all connected devices and /or cloud storage for similar flaws and additional threats. Not only should other connected devices and storage media be checked for infection by the same threat, but also for any other threats that may have been installed on the side.
  • If possible, identify the specific ransomware responsible. Knowing the specific family involved makes it easier to search online for information about remedial options. The ID-Ransomware project site may be able to help you identify the ransomware involved.

You can find more about responding to a ransomware infection at:

You may also be interested to check out:

No More Ransom!

This is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and security researchers aims to help victims retrieve their encrypted data without having to pay the criminals responsible for the threat.

Removing 'police-themed' ransomware

In most cases, F-Secure's security products will will automatically detect and remove a ransomware file.

For certain ransomware families, manual removal is also possible, though it is only recommended for a technically skilled user.

Automatic Removal

We detect police-themed ransomware with multiple detections, including Trojan:W32/Reveton, Trojan:W32/Ransom and generics.

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

For users who do not have an F-Secure security product installed, in most cases our Online Scanner removal tool is able to detect and automatically remove the ransomware.

Manual Removal

Trojan:W32/Reveton and Trojan:W32/Urausy variants may also be manually removed from the machine, using the following instructions:

CAUTION: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, seek professional technical assistance.

  1. Boot the system into 'Safe Mode with Command Prompt.' To do so:
    • First, restart the system (Click Start, then Shut Down, select Restart in the drop-down dialog box that appears, then click OK).
    • As the computer restarts but before Windows launches, press F8.
    • Use the arrow keys to highlight 'Safe Mode with Command Prompt' and then press Enter.
  2. In the command prompt, type "regedit" and press Enter.
  3. Look for the following registry values and remove them.

    • For Reveton

      Delete the "ctfmon.exe" registry value from HKEY_CURRENT_USER\Software \Microsoft\Windows\CurrentVersion\Run

    • For Urausy

      Delete the "shell" registry value from HKEY_CURRENT_USER\Software\ Microsoft\WindowsNT\CurrentVersion\ Winlogon ONLY IF these two conditions are met:

      1. The "shell" registry value is located under HKEY_CURRENT_USER and NOT HKEY_LOCAL_MACHINE.

        WARNING! Deleting the "shell" value if it is listed under HKEY_LOCAL_MACHINE may break the Windows system.

      2. There is a reference to a .dat file (e.g. skype.dat) in the value data.

  4.   Reboot the system again, this time into Normal mode.
  5.   Finally, run a full computer scan to repair any remaining files.

Submitting sample for analysis

You can send a sample of the ransomware file to our Labs for analysis.

To do so, please reboot your computer into Safe Mode (see instructions in the Manual Removal section below), and look for the suspect file; most commonly, ransomware is saved to one of the following locations:

  • C:\Programdata\(random alpha numerics).exe
  • C:\Users\(username)\0.(random numbers).exe
  • C:\Users\Username\AppData\(random alpha numerics).exe

Once found, send us the suspect file via Submit A Sample (SAS).

Get Support

For documentation and product support, visit our support site.

Go Support

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.

Go Community