<

ICE Cyber Crimes FBI Ransomware variant...removal!

Published on
9,381 Points
3,081 Views
3 Endorsements
Last Modified:
Approved
There is a new version of the FBI Ransomware moneypak scam that I just encountered and thought I would share the cleanup instructions with the group.

For the uninitiated,  the FBI Ransomware virus takes over the user interface and prevents any user interaction with the desktop or system tools. Therefore, it can be difficult to identify the offending code and remove it. Since the initial code looks fairly benign, most antivirus programs will let it pass. In the case I was working on, the customer was using ESET which is normally very good at catching both known and suspected malware.

This variant digs in a little deeper and is a little harder to remove than its predecessor, especially if it is not a domain computer.

The new version of the FBI Ransomware now says Homeland Security and ICE Cyber something something.  They use stolen imagery from legitimate web sites to give it an official look. The original one used the FBI's own website masthead.

The function is the same, try to get moneypak funds. It displays the webcam if available and promises to unlock the computer if you pay them your "fine".

This is still a profile infection but it is a little harder to clean. The first step is to clean out the user's profile AppData/Temp folder to remove the offending binary. If it is a domain machine, just do this through the admin share (\\machine\c$). If it is not, you need to have bootable media that will allow you to access the hard drive. Just delete everything in that folder.  After rebooting, the system will come up to command prompt with a failure message about an .exe that cannot be found.

Next, there are two registry keys that must be deleted. You can just run regedit from the command prompt. Delete the following:

HKCU\Software\Microsoft\Command Processor\Autorun
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

Reboot and voila!

Cheers!

Gary
3
Comment
1 Comment
 
LVL 38

Expert Comment

by:lherrou
Nice tip! I hit the YES button for helpful article above.
0

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month