'Ransomware' is a type of malware that attempts to extort money from a computer user by infecting and taking control of the victim's machine, or the files or documents stored on it. Typically, the ransomware will either 'lock' the computer to prevent normal usage, or encrypt the documents and files on it to prevent access to the saved data.
The ransom demand will then be displayed, usually either via a text file or as a webpage in the web browser. This type of malware leverages the victim's surprise, embarrassment and/or fear to push them into paying the ransom demanded.
Ransomware may arrive as part of another malware's payload, or may be delivered by an exploit kit such as Blackhole, which exploits vulnerabilities on the affected computer to silently install and execute the malware.
'Police-themed' ransomware
Though earlier ransomware samples we saw tended to be simple, blatant attempts at extortion, recent ones have been more subtle in design. In 2012, we saw multiple instances of 'police-themed' ransomware that cunningly disguise their ransom demands as official-looking warning messages from a local law enforcement agency.
Samples of 'police-themed' ransomware from various countries (click the image for larger view)
The language used and the specific authority mentioned vary depending on the user's geographical location. Most of the police-themed ransomware seen so far targeted Western European countries, notably France, Germany, Finland and Italy.
The specific text of the ransom messages vary, but generally follow the same pattern - they claim that the user's computer is 'locked' after the police identified it as being used to visit websites related to terrorism or abuse and that payment of a 'fine' is required to settle the 'offense'. The amount of the supposed fine varies, and directions for paying it via anonymous, untraceable disposable cashcards are included.
In almost all cases, payment of the ransom still does not restore the computer to normal use. As such, we strongly recommend that no payment be made and that the user report the incident to the proper local authorities.
Removing 'police-themed' ransomware
We detect police-themed ransomware with multiple detections, including Trojan:W32/Reveton, Trojan:W32/Ransom and generics.
If 'police-themed' ransomware is installed on the system, it can be removed using a downloadable removal tool. For infections by Trojan:W32/Reveton and Trojan:W32/Urausy variants, manual removal is also possible.
Automatic Removal
In most cases, F-Secure's Online Scanner removal tool is able to remove the ransomeware, restoring normal access to the system.
Manual Removal
Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.
Trojan:W32/Reveton and Trojan:W32/Urausy variants may also be manually removed from the machine, using the following instructions:
Boot the system into 'Safe Mode with Command Prompt.' To do so:
First, restart the system (Click Start, then Shut Down, select Restart in the drop-down dialog box that appears, then click OK).
As the computer restarts but before Windows launches, press F8.
Use the arrow keys to highlight 'Safe Mode with Command Prompt' and then press Enter.
In the command prompt, type "regedit" and press Enter.
Look for the following registry values and remove them.
For Reveton, delete the "ctfmon.exe" registry value from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
For Urausy, delete the "shell" registry value from HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon ONLY IF these two conditions are met:
The "shell" registry value is located under HKEY_CURRENT_USER and NOT HKEY_LOCAL_MACHINE.
WARNING! Deleting the "shell" value if it is listed under HKEY_LOCAL_MACHINE may break the Windows system.
There is a reference to a .dat file (e.g. skype.dat) in the value data.
Reboot the system again, this time into Normal mode.
Finally, run a full computer scan to repair any remaining files
