There is a new version of the FBI Ransomware moneypak scam that I just encountered and thought I would share the cleanup instructions with the group.
For the uninitiated, the FBI Ransomware virus takes over the user interface and prevents any user interaction with the desktop or system tools. Therefore, it can be difficult to identify the offending code and remove it. Since the initial code looks fairly benign, most antivirus programs will let it pass. In the case I was working on, the customer was using ESET which is normally very good at catching both known and suspected malware.
This variant digs in a little deeper and is a little harder to remove than its predecessor, especially if it is not a domain computer.
The new version of the FBI Ransomware now says Homeland Security and ICE Cyber something something. They use stolen imagery from legitimate web sites to give it an official look. The original one used the FBI's own website masthead.
The function is the same, try to get moneypak funds. It displays the webcam if available and promises to unlock the computer if you pay them your "fine".
This is still a profile infection but it is a little harder to clean. The first step is to clean out the user's profile AppData/Temp folder to remove the offending binary. If it is a domain machine, just do this through the admin share (\\machine\c$). If it is not, you need to have bootable media that will allow you to access the hard drive. Just delete everything in that folder. After rebooting, the system will come up to command prompt with a failure message about an .exe that cannot be found.
Next, there are two registry keys that must be deleted. You can just run regedit from the command prompt. Delete the following:
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.