Royal Canadian Mounted Police Virus
Written by Tomas Meskauskas
Damage level: Severe
Royal Canadian Mounted Police (RCMP) virus removal guide
Royal Canadian Mounted Police (RCMP) message which states that computer users have to pay a fine of $100 CAD is a scam. It's a ransomware infection which uses false statements (accuses PC users of downloading copyrighted music and video files) to scare computer users into paying a fake fine. In reality this message was created by Cyber criminals and the sole reason why some of PC users sees this message on their computer screens are Trojan infections which are used to infiltrate user's computer with such ransomware scams. Royal Canadian Mounted Police didn't send this message, actually none of the authorities around the world are using such methods (locking computer user's screen) to collect fines for any law violations.
This particular ransomware infection originates from a family called Urausy and is targeted at PC users from Canada, Cyber criminals who have created this family have localized the fake messages which locks computer user's screens. For example if PC users from USA would get their computers infected with this scam the message would be presented as if it was send by FBI Cyber Crime Division, for computer users from UK this message would appear as if it was send by United Kingdom Police. PC users should know that such messages which blocks computer's screen is a total scam - paying the fine when asked by such message equals to sending your money to Cyber criminals.
Update July 20, 2013: Cyber criminals have released a new variant of this ransomware virus - Ministry of Public Safety Canada "Computer blocked" Virus
Royal Canadian Mounted Police ransomware infects user's computers using Trojans and drive-by downloads. Notice that there is a slight delay between the actual infection and the time when the fake message gets displayed (about 5 minutes). This particular ransomware infection is also capable of detecting what antivirus program is installed on user's computer and then use this information to make the fake message appear more legitimate - the logo of the indicated antivirus software is displayed at the header of the fake message - "Supported and Protected by (logo of detected antivirus)". Moreover ransomware infections from Urausy family are also exploiting the name of ICSPA (International Cyber Security Protection Alliance), this authority is actually created to fight cyber crime and Cyber criminals are just using this name to make their fake messages appear more realistic. If you see such message on your computer's screen you can be sure that your PC is infected with a ransomware infection - ignore the fake message and use this removal guide to eliminate this scam from your computer.
Ukash (Smart Voucher Limited) is a legitimate company and it's not related to ransomware viruses - Cyber criminals are using this service to extort money from unsuspecting PC users.
Fake message presented in Royal Canadian Mounted Police ransomware:
ATTENTION! Your PC is blocked due to at least one of the reasons specified below. You have been violating 'Copyright and Related Rights Law o (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal Code of Canada.
Article 128 of the Criminal Code provides for a fine of 200 to 500 minimal wages or a deprivation of liberty for 2 to 8 years.
You have been viewing or distributing prohibited Pornographic content (Child Porno, Zoophilia and etc). Thus violating Article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to 12 years. Illegal access to computer data has been initiated from your PC, or you have been... Article 208 of the Criminal Code provides for a fine of up to CAD $100,000 and/or a deprivation of liberty for 4 to 9 years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware. thus you are violating the law On Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of CAD 02,000 to CAD $8,000.
Spam distribution or other unlawful advertising has been effected from your PC as a profit-seeking activity or without your knowledge, your PC may be infected by malware. Article 212 of the Criminal Code provides for a fine of up to CAD $250,000 and a deprivation of liberty of up to 6 years. In case this activity has been effected without your knowledge, you fall under the above mentioned article 210 of the Criminal Code of Canada.
Your personality and address are currently being identified, a criminal case is going to be initiated against you under one or more articles specified above within the next 72 hours. Pursuant to the amendment to the Criminal Code of Great Canada of February 04, 2013, this law infringement (if it is not repeated - first time) may be considered as conditional in case you pay the fine to the State.
Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours! The amount of fine is CAD $100. You can pay a fine Ukash or PaySafeCard.
When you pay the fine, your PC will get unlocked in 1 to 72 hours after the money is put into the State's account.
Since your PC is unlocked, you will be given 7 days to correct all violations. In case all violations are not corrected after 7 working days, your PC will be blocked again, and a criminal case will be initiated against you automatically under one or more articles specified above.
Royal Canadian Mounted Police virus removal:
During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Log in to the account that is infected with Royal Canadian Mounted Police virus. Start your Internet browser and download recommended anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries that it detects.
Royal Canadian Mounted Police virus removal using System Restore:
This removal method can be used if you can't boot your computer in safe mode with networking (Royal Canadian Mounted Police ransomware blocks this mode).
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. Start your computer in Safe Mode with Command Prompt - During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.
2. When command prompt mode loads enter the following line: cd restore and press ENTER.
3. Next type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available restore point and click "Next" (this will restore your computer's system to an earlier time and date, before the ransomware infiltrated your PC).
6. In the opened window click "Yes".
7. After restoring your computer to a previous date download and scan your PC with a recommended malware removal software to eliminate any left remnants of Royal Canadian Mounted Police ransomware.
Other methods which can be used to eliminate RCMP ransomware infection from your PC:
Remove Canadian Mounted Police ransomware using a Rescue Disk.
Royal Canadian Mounted Police ransomware removal using a new user account (command prompt).