[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


ICE Cyber Crimes FBI Ransomware variant...removal!

Published on
9,471 Points
3 Endorsements
Last Modified:
There is a new version of the FBI Ransomware moneypak scam that I just encountered and thought I would share the cleanup instructions with the group.

For the uninitiated,  the FBI Ransomware virus takes over the user interface and prevents any user interaction with the desktop or system tools. Therefore, it can be difficult to identify the offending code and remove it. Since the initial code looks fairly benign, most antivirus programs will let it pass. In the case I was working on, the customer was using ESET which is normally very good at catching both known and suspected malware.

This variant digs in a little deeper and is a little harder to remove than its predecessor, especially if it is not a domain computer.

The new version of the FBI Ransomware now says Homeland Security and ICE Cyber something something.  They use stolen imagery from legitimate web sites to give it an official look. The original one used the FBI's own website masthead.

The function is the same, try to get moneypak funds. It displays the webcam if available and promises to unlock the computer if you pay them your "fine".

This is still a profile infection but it is a little harder to clean. The first step is to clean out the user's profile AppData/Temp folder to remove the offending binary. If it is a domain machine, just do this through the admin share (\\machine\c$). If it is not, you need to have bootable media that will allow you to access the hard drive. Just delete everything in that folder.  After rebooting, the system will come up to command prompt with a failure message about an .exe that cannot be found.

Next, there are two registry keys that must be deleted. You can just run regedit from the command prompt. Delete the following:

HKCU\Software\Microsoft\Command Processor\Autorun

Reboot and voila!


1 Comment
LVL 38

Expert Comment

Nice tip! I hit the YES button for helpful article above.

Featured Post

Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month