Royal Canadian Mounted Police Virus
Written by Tomas Meskauskas
Damage level: Severe
Royal Canadian Mounted Police (RCMP) virus removal guide
The Royal Canadian Mounted Police (RCMP) message demands that computer users pay a $100 CAD fine. This is a scam, a ransomware infection delivering false statements - accusing PC users of downloading copyrighted music and video files, in order to scare them into paying a fake fine. In fact, this message was created by cyber criminals via Trojan infections employed to infiltrate users' systems with ransomware scams. The Royal Canadian Mounted Police do not send messages such as this and no authorities internationally use these methods (locking computer screens) to collect fines for any law violations.
This particular ransomware infection originates from a family called Urausy and targets PC users from Canada. Cyber criminals from this family localize the screen-blocking fake messages. For example, PC users from USA with infected computers, observe this message as if sent by the FBI Cyber Crime Division, and from UK, as if sent by the United Kingdom Police. Users should be aware that any message that blocks the computer screen is a scam and paying the fine as demanded is equivalent to sending their money to cyber criminals.
Update July 20, 2013: Cyber criminals have released a new variant of this ransomware virus - Ministry of Public Safety Canada "Computer blocked" Virus
The Royal Canadian Mounted Police ransomware infects users' computers using Trojans and drive-by downloads. Note that there is a slight delay between actual infection and the time at which the fake message is displayed (approximately 5 minutes). This particular ransomware infection is also capable of detecting any existing antivirus program installed on the user's computer. It uses this information to adapt the fake message to appear more authentic. For example, the logo of the detected antivirus software is displayed on the header of the fake message as follows: "Supported and Protected by (logo of detected antivirus software)". Moreover, ransomware infections from the Urausy family also exploit the name of the ICSPA (International Cyber Security Protection Alliance). This authority was created to fight cyber crime, however, cyber criminals use this name to make their fake messages appear authentic. If you see such a message on your computer screen, your PC is infected with a ransomware infection. Ignore the fake message and use this removal guide to eliminate this scam from your computer.
Ukash (Smart Voucher Limited) is a legitimate company and not related to ransomware viruses - cyber criminals use this service to extort money from unsuspecting PC users.
A fake message presented by the Royal Canadian Mounted Police ransomware:
ATTENTION! Your PC is blocked due to at least one of the reasons specified below. You have been violating 'Copyright and Related Rights Law o (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal Code of Canada.
Article 128 of the Criminal Code provides for a fine of 200 to 500 minimal wages or a deprivation of liberty for 2 to 8 years.
You have been viewing or distributing prohibited Pornographic content (Child Porno, Zoophilia and etc). Thus violating Article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to 12 years. Illegal access to computer data has been initiated from your PC, or you have been... Article 208 of the Criminal Code provides for a fine of up to CAD $100,000 and/or a deprivation of liberty for 4 to 9 years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware. thus you are violating the law On Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of CAD 02,000 to CAD $8,000.
Spam distribution or other unlawful advertising has been effected from your PC as a profit-seeking activity or without your knowledge, your PC may be infected by malware. Article 212 of the Criminal Code provides for a fine of up to CAD $250,000 and a deprivation of liberty of up to 6 years. In case this activity has been effected without your knowledge, you fall under the above mentioned article 210 of the Criminal Code of Canada.
Your personality and address are currently being identified, a criminal case is going to be initiated against you under one or more articles specified above within the next 72 hours. Pursuant to the amendment to the Criminal Code of Great Canada of February 04, 2013, this law infringement (if it is not repeated - first time) may be considered as conditional in case you pay the fine to the State.
Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours! The amount of fine is CAD $100. You can pay a fine Ukash or PaySafeCard.
When you pay the fine, your PC will get unlocked in 1 to 72 hours after the money is put into the State's account.
Since your PC is unlocked, you will be given 7 days to correct all violations. In case all violations are not corrected after 7 working days, your PC will be blocked again, and a criminal case will be initiated against you automatically under one or more articles specified above.
Royal Canadian Mounted Police virus removal:
Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Log in to the account infected with the Royal Canadian Mounted Police virus. Start your Internet browser and download a recommended anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
Royal Canadian Mounted Police virus removal using System Restore:
This removal method can be used if you cannot boot your computer in Safe Mode with Networking (the Royal Canadian Mounted Police ransomware blocks this mode).
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the ransomware infiltrating your PC).
6. In the opened window click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remnants of the Royal Canadian Mounted Police ransomware.
Other methods used to eliminate RCMP ransomware infection from your PC:
Remove the Canadian Mounted Police ransomware using a Rescue Disk.
Royal Canadian Mounted Police ransomware removal using a new user account (Command Prompt).