Multi-Language Ransomware Mentions Police to Enforce Payment

Grab the free removal tool and put your machine back on track in no time

When it comes to innovation, cyber-criminals have no borders, or that’s what we believe after analyzing this piece of multi-language malware detected as Trojan.Ransom.IcePol.The ransomware adds itself to the Startup Registry key in order to ensure persistence after every reboot. As soon as the computer starts, the screen gets locked and displays a message in the user’s language, if the user is located in a country that speaks one of 25 languages. The message states that the computer got locked as suspicious activity (download of copyrighted material or of “illegal pornography”) was detected. Of course, the system can be unlocked by paying a ransom, euphemistically described as “fine”.

 

 

In order to block access to the system, the Trojan Adds itself to the Winlogon\Shell registry key in the Current User branch and denies access to Windows Explorer for the current user. This way, the user is locked on the outside, with no chance to run an antivirus solution or a removal tool.

If you have become infected with this ransomware Trojan, use a working computer to download the Bitdefender removal tool.

  • Copy it on a flash drive then boot the affected computer in Safe Mode with Command Prompt and log into the account of the affected user. This is extremely important as your desktop is – most likely – locked by the malware.
  • Use the command prompt to launch the removal tool from the removable medium and run it. The scanning process is extremely targeted to the specific areas of the system which are affected by this particular e-threat, so the whole process should only take between five and ten seconds.
  • Reboot the computer and start it normally. Your desktop should now be unlocked.

Removal tool courtesy of the Bitdefender malware cleanup team

UPDATE: New article details spread of infection, here.

65 Responses to Multi-Language Ransomware Mentions Police to Enforce Payment


  1. Alexandrul says:

    I did this and it’s still locked…hmm……

  2. Johan says:

    Of course, it’s important to do a full scan of your system with your antivirus after that, because the malware that downloaded the “police” ransomware may still be present on your system.

    Also check for the latest security updates of all your software (and repeat this regularly) to prevent another infection.

  3. Andy says:

    very nice tool Bitdefender *thumbs up*

  4. Alexandrul says:

    mmm…how can i do a system scan when it is still locked? when i start the pc it dosen’t reach the desktop…the screen with the “your computer is locked……….” is still there…like before…

  5. Ilja. _\\// says:

    “Copy it on a flash drive then boot the affected computer in Safe Mode with Command Prompt and log into the account of the affected user. This is extremely important as your desktop is – most likely – locked by the malware.”

    Perhaps some clarification is needed? How do I do that, logging in to the account of the affected user in Safe Mode with Command Prompt?

    Type Logoff & hit Enter?

    Ilja. _\\//

  6. Gabriel says:

    Thank you for the removal tool but I have one question: What do you write in the Command Prompt widow in order to start the removal tool from the flash drive?

  7. Alexandrul says:

    hmm…i enter Safe Mode with Command Prompt…i open the flash drive…i do the scan…it is saying scan complete…and when i restart the computer and enter the windows normaly…there is no change………..still like before…

  8. alin says:

    1.Copy on USB
    2. Restart in Safe mode with cmd promt
    3. Pres CTRL-ALT-DEL for Task Manager.
    4. New Task
    5. Browse on USB for removal tool.
    6. Full Scan.
    7. Restart normaly
    Tested on laptop XP sp3….WORKED… Very nice job with this..TY
    5.

  9. Jefferson says:

    I did exactly what Alin said but no effect. Seems the malware was modified and is not dtected?

  10. Orsi says:

    I did what Alin said … but it doesn’t worked . What can I do ?:-S

  11. kristy says:

    Yes, seems the malwere was modified and the removal tool is not working anymore. I solved the problem with restore point.

  12. ionicafardefric says:

    Actually you can easily disable it without the use of this tool. Restart the pc, start it in safe mode; once in windows, start->run, type in msconfig in there. In the startup tab, uncheck all programs that look suspicios. Restart your pc in normal mode. (Note this will not remove the virus, it will just disable it)

  13. fakenick says:

    unde e versiunea pentru windows7?

  14. Andy says:

    So my friend have this problem too..I will try tomorow too and i will post a video on youtube on how to remove that damn virus :)

  15. Cristian says:

    1. Copy removal tool file on USB flash drive
    2. Restart in Safe mode with cmd promt
    3. Pres CTRL-ALT-DEL for Task Manager.
    4. New Task
    5. Browse on USB flash drive for removal tool.
    6. Full Scan.
    7. Restart normaly
    Tested on laptop with Windows 7, whole process only take five seconds. WORKS great.

  16. Paulo Coelho says:

    malware new vaiante

    does not let start in safe mode

    machine reboots over again in normal mode

  17. N. says:

    Hi, unfortunatly I have had a ransomware virus before which I could easily erase from my computer by going into safe mode and choose a system recovery date and that would do the trick but now I caught a heavier virus. I tried kasperskys rescue cd 10 and hirens reboot cd but both have failed. I now found this forum with the same problem and I downloaded the toolkit and copied it on a flashdrive but when I click on new task and I search for the program I cant even see the flashdrive slot at ‘my computer’ the only slots I see are my harddrive`s and my one cd station. I already tried several USB ports but no result. Please explain this. Is it maybe possible to set the toolkit file on a cd and start it from there?

    Many thanks in advance.

  18. Paulo Coelho says:

    problem solved!

    managed to go Safe Mode With Command Prompt

    and start the System Restore tool

    Type “rstrui.exe” at the C: prompt and press the “Enter” key.

  19. N. says:

    Well it was a good idea, but strangley I only can select 1 recovery point and that recovery point does not bring the system back before the virus. And it also could not complete because the data was incomplete or something… Any other suggestions?

  20. tudor says:

    An variant of the virus:
    (Using bitlocker; haven’t the bitlocker key handy) so I needed to login as another privileged user to pause bitlocker.
    Right after login, a package install pops-up. I was fast enough to stop that process.
    I paused bitlocker and rebooted in safe-mode.
    Login as the infected used in safe-mode lead to an imediate suthdown. I had to login again as an another privileged user in safe mode, stopped again the “package” install and switch to the infected user. The shutdown process was blocked with the dialog that there are other user logged.
    Removal tool seems to be effective.

  21. Daniel says:

    An another variant:
    1. Start normally windows 7
    2. Now the desktop is blocked
    3. CTRL+ALT+DEL
    4. Restart computer
    5. Cancel restart (attention, very quickly)
    6. Start BDRemoval_Trojan_Ransom_IcePol on stick
    7. ready

  22. otto says:

    works great within 5 seconds it was done already thumbs up

  23. Bassus says:

    next time you IT jockeys buy a car from me, I will ask you to adjust the timing, check the valves and replace the distribution whenever you have a problem with the spare wheel. What a sorry world this IT world is. And it is getting worse.

  24. maxie says:

    OK, it worked on 2 separate PCs from work. Malware removed. Thanks!

  25. Margriet says:

    HiChristian, thanks for the tip, worked like a dream on Windows 7!!!!!!

  26. hans says:

    thank you, worked perfect on windows 7

  27. Tom says:

    Malware removed (XP) Thanks!!!

  28. Tmul says:

    Works for me! even from a geust account on the infected system! just download and run straight away :-)

  29. Jroen says:

    i typed rstrui.exe at the C prompt and allthough my computer didnt seem to do anything, after a minute or so the computer asked me if i wanted to use a restore point from this morning, i did that and it rebooted fine.

    Im running *** now and it allready found ten virusses.

  30. keeygee says:

    1. Copy removal tool file on USB flash drive
    2. Restart in Safe mode with cmd promt
    3. Pres CTRL-ALT-DEL for Task Manager.
    4. New Task
    5. Browse on USB flash drive for removal tool.
    6. Full Scan.
    7. Restart normaly
    Tested on laptop with Windows 7, whole process only take five seconds. WORKS great.

    If you can’t see the USB stick, write the removal tool on a CD, it will work like charm.
    Thx Cristian!

  31. Pieter A says:

    Yes it worked perfectly well on my desktop. Tanks

  32. med says:

    Great job! Thank you very much!

  33. Sandra says:

    Works like a charm in seconds, thank you!!

  34. shanna says:

    removed, thanks!

  35. MC_JP says:

    after trying out a million tricks, this one did it for me !

  36. N. says:

    Sigh! Its been a while but theyve done it again! Its the most evolved ive seen so far.. also the ukash penalty seems to be higher. I cannot reach my safe mode/promp and I tried the contrl alt delte thing then reboot and cancel very cuickly but that also seems to do nothing.. if any living soul has any suggestions please tell me

  37. AB says:

    The same problem for me. Nothing is working.

  38. Niick says:

    It worked, thank you so so so much !

  39. RG says:

    `i typed rstrui.exe at the C prompt and allthough my computer didnt seem to do anything, after a minute or so the computer asked me if i wanted to use a restore point from this morning, i did that and it rebooted fine.

    Im running *** now and it allready found ten virusses.`

    Worked on Vista THANKS!!!!!!!!!!!!!!!!!!!!!

  40. gjkeller says:

    thanks

  41. B Stevens says:

    Works like a charm !!

    Thnx, BitDefender !!

  42. UnSub says:

    Will this Tool clear a USB drive if I Download it onto my working Computer? My other Computer is shot now, since it cannot Boot into Safe Mode, but there IS a several minute window after Logging In before the Virus locks my Desktop, so I’m going to salvage all of my important files to the USB. Now I need to know if the second Computer can kill the Virus if I Download the Kit, or if it will Contract it too.

    Virus I have Identifies itself as “Arestocrat” and masqurades as something like “Hyperlight something or other”…

  43. obelus says:

    i am having the police virus too,but can not go to safemode. Please some help. Thank you

  44. johan vD says:

    first off i wanna thank u all.
    i almost had a heart attack when this happened see i am a producer of music and all my work is offcourse on my computer.
    altough not every option works i got to try a lot of different things.

    one thing is for sure if it wasn’t for u guys out there id still be screwed right now

    THNQ~~~~

  45. JW says:

    When I run the tool it is immediately ready and says it was succesful. I see no files found. After this it is still affected. I see a version with Willem Alexander on the screen. Is that a new one?

  46. Fjw says:

    BitDefender – you are brilliant! I picked up the Ransom Trojan last week and your removal tool has saved my data (must run a backup!). Thank you so much.

  47. marcel says:

    mare smecheri astia era so musc

  48. Piet says:

    Prima tool werkt uitstekend en erg snel !!!
    Bedankt!!!

  49. P. Ipo says:

    seems to have repaired: no save start options possible but run from usb on another user account (xp), thanks.

  50. cognean says:

    Era sa o musc si eu,Multumesc

  51. BM says:

    The instructions here are so simple as if you never knew anout them, but in order to follow them, younhabe to be anle to start in safe mode in first place. But this is not happening. You have to overcome this first before starting to follow these instructions.

  52. cole says:

    I used a linux bootable usb stick and opened the shortcut created in the startup folder to see what exectutable is run. I just manually deleted that executable from linux. it was rundll32.exe located in windows/system32 folder

  53. Danut says:

    The removal tool is not working. I ran it several times but the trojan is still there.

  54. Wild says:

    Thanks very much it worked

  55. Ronald says:

    I have the same problem as JW and Danut: I run the tool and it says that it is succesfull. But after restarting the computer, the problem/virus is still there and my computer is still locked.

  56. Alex says:

    Tip: when i had the interpol screen thing (yes, i got that with interpol, not with police, like it says in this article) i managed to shut down my PC by hitting the “windows” button and the right arrow button to select the “shut down” command (windows 7 start menu style), after pressing “enter” and the command was in progress, first it was that screen that had been closed and then, right before windows started to close, I’ve pressed “esc” button, that cancelled the “shut down” command and got rid off the virus screen. thet’s how i’m here, writing this to you.
    I’ve tried the removal tool but didn’t worked. seems that i still have to reboot from safe mode anyway.

Leave a Reply

Your email address will not be published. Required fields are marked *