Homeland Security Ransomware
Written by Tomas Meskauskas on
Homeland Security Virus "This computer has been blocked" removal instructions
What is Homeland Security?
Homeland Security (National Cyber Security Department) message, "THIS COMPUTER HAS BEEN BLOCKED", demands payment of a $300 fine for alleged law violations. This is a scam, a ransomware infection, which should not be trusted. PC users should be aware that The Department of Homeland Security is not related to this message; the name of this authority is exploited by cyber criminals simply to make their deceptive message appear authentic, and thus, to trick more unsuspecting PC users into paying the bogus fine. The accusations of watching pornography involving children, using or sharing copyrighted files, and using unlicensed software, are false and used to scare computer users into paying this fake fine. If you pay the fine using MoneyPak, your money will be sent to cyber criminals with no guarantee that your computer will be unblocked.
This particular ransomware infection targets PC users from the United States of America and exploits the name of the U.S. Department of Homeland Security. Other known ransomware infections targeting computer users from USA, use the names of the FBI, The ICE Cyber Crimes Center, and many others. Computer users should be aware that no legitimate authorities, internationally (including The Department of Homeland Security), use screen-blocking messages to collect fines for any law violations. Such messages are used by cyber criminals to steal money from unsuspecting PC users. If you observe this type of message on your computer screen, your PC is infected with a ransomware infection.
The U.S. Department of Homeland Security MoneyPak scam is distributed using various Trojans and drive-by downloads. Cyber criminals are then able to exploit any security vulnerabilities present on computer systems and infiltrate them with rogue viruses. Furthermore, ransomware infections are localized, so that computer users from different countries observe variants of the deceptive messages using the names and graphics of local authorities. The best way to prevent ransomware infections is by using legitimate antivirus and anti-spyware software and keeping your operating system and installed software up-to-date. If your computer is already infected with The Department of Homeland Security scam, use the removal instructions provided to eliminate this ransomware from your PC.
A fake message presented by the U.S. Department of Homeland Security virus:
US Department of homeland Security.
National Cyber Security Division.
THIS COMPUTER HAS BEEN BLOCKED.
The work of your computer has been suspended on the grounds of the violation of the law of the United States of America.
Article 164. Pornography involving children. Article 171. Copyright. Article 113. The use of unlicensed software.
To unlock the computer you are obliged to pay a fine of $300. You must pay the fine through MoneyPak. You have 48 hours to pay the fine. If the fine has not been paid, you will become the subject of criminal prosecution with ought the right to pay the fine. The Department for the Fight Against Cyber activity will confiscate your computer and that You to Court.
Update 22 March, 2016 - Cyber criminals have updated this ransomware with different graphics and ransom demanding message. Now they are asking to pay $500 using Bitcoins or OneVanilla Card in order to unlock user’s computer. At the time of research this ransomware was being spread using Rig Exploit Kit. After successfully infiltrating victims computer Homeland Security ransomware completely blocks access to user’s desktop. It adds an autostart key in the registry making sure it’s victims will see the ransom demanding message every time they boot their computers. In this new variant Cyber criminals started using Tor hidden services allowing them to hide their malicious network activity.
Screenshot of an updated ransom demanding message blocking user's desktop:
Text (fake accusations of viewing child pornography, using unlicensed software and sharing copyrighted files) presented in the updated Homeland Security ransomware:
Homeland Security National Cyber Security Department
THIS COMPUTER HAS BEEN BLOCKED
Your Internet Service Provider in cooperation with Internet Watch Foundation (IWF) monitors and takes action against illegal and offensive content on the Internet. It acts against private usage of websites, newsgroups and online groups that:
Article 184. Pornography involving children. Imprisonment for the term of up to 10-15 years (The use or distribution if pornographic material). Article 113. The use of licensed software. Imprisonment for the term of up to 2 years (The use of unlicensed software). Article 171. Copyright. Imprisonment for the term of up to 2-5 years (The use or sharing of copyrighted files).
The first violation may not entail the criminal liability if the payment of the fine would be executed in connection with the law of loyalty to the people, on [date]. If repeated violations occur, the prosecution is inevitable. To unlock the computer you are obliged to pay a fine of $500 using payment system we provided for you (OneVanilla Card, Bitcoin). After you send payment click Unlock.
Quick menu: Quick solution to remove Homeland Security virus
- What is Homeland Security?
- STEP 1. "Homeland Security" virus removal using safe mode with networking.
- STEP 2. "Homeland Security" ransomware removal using System Restore.
Homeland Security virus removal:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account infected with this ransomware virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the ransomware infiltrating your PC).
6. In the opened window click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remnants of the U.S. Department of Homeland Security scam.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer. After removing the Homeland Security virus from your PC, restart your computer and scan it with legitimate antispyware software to remove any possible remnants of this security infection.
Other tools known to remove the Homeland Security virus: