Welcome Guest (Log In | Create Account)
New Member? Join for free.

Australian Communications and Media Authority Ransomware Removal Guide

By on July 16, 2013 @ 09:12 AM | Read 14,013 times.
  • Print this page

The Australian Communications and Media Authority (ACMA) Ransomware is part of the Troj/Urausy Ransomware family of computer infections that target computers in Australia. When installed with this ransomware you will be shown a lock screen that requests a ransom of AUD $100 before you can access your Windows desktop. This lock screen pretends to be from the Australian Communications and Media Authority (ACMA), AFP. Crime Commission (ACC), Royal Australian Corps of Military Police, and Interpol and was placed because your computer has been involved in illegal cyber activity related to pornography and copyrighted content. This activity includes the distribution of pornography, copyrighted files, or computer viruses. It goes on to state that you need to pay a fine in the amount of AUD $100 within 48 hours or you will face legal prosecution. It is important to note that this is a computer virus and that you are not actually being targeted by these agencies. Therefore, please do not pay the ransom.

 

Australian Communications and Media Authority Ransomware Screen shot
Australian Communications and Media Authority Ransomware Screen shot
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.

 

In order to send the ransom you will be required to purchase a Ukash voucher at various stores or places that advertise ePay and submit the voucher ID in the lock screen. The malware developers state that once they receive the payment, they will automatically unlock your screen so that you can access your Windows desktop again. As this lock screen is not a legitimate message from any government agency, please ignore it and continue reading the removal guide to remove this threat for free.

When you are locked out of Windows you will be shown a screen that contains the following text:

Australian Communications and Media Authority (ACMA)
AFP. Crime Commission (ACC)
Royal Australian Corps of Military Police

Interpol

Attention!
Your computer has been blocked for safety reasons listed below.

You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc). You have violated World Declaration on non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of Commonwealth of Australia criminal law.

Article 161 of Commonwealth of Australia criminal law provides for the punishment of deprivation of liberty for terms from 5 to 11 years.

Also, you are suspected of violation of "Copyright and Related rights Law" (downloading of pirated music, video, warez) and of use use and/or dissemination of copyrighted content. Thus, you are suspected of violation of Article 148 of Commonwealth of Australia Criminal Law.

Article 148 of Commonwealth of Australia criminal law provides for the punishment of deprivation of liberty for terms from 3 to 7 years or 150 to 550 basic amounts fine.

It was from your computer, that unauthorized access had been stolen to information of State importance and to data closed for public Internet access.

.
<more fake legal threats>
.

The penalty set must be paid in course of 48 hours as of the breach. On expiration of the term, 48 hours that follow will be used for automatic collection of data on yourself and your misconduct, and criminal case will be opened against you.

Amount of fine is AUD $100. You can pay a fine Ukash vouchers.

As soon as the money arrives to the Treasury account, your computer will be unblocked in course of 24 hours.

Then in 7 day term you should remedy the breaches associated with your computer. Otherwise your computer will be blocked up again and criminal case will be opened against yourself (with no option to pay fine).

Without a doubt, this is a computer virus and a scam and not a legitimate message from any Australian government agency. Therefore, ignore anything it displays and instead use the removal guide below to remove this ransomware from your computer.

 

Threat Classification:

 

Advanced information:

View Australian Communications and Media Authority (ACMA) Ransomware files.
View Australian Communications and Media Authority (ACMA) Ransomware Registry Information.

 

Entries for this program found in the Uninstall Programs control panel:

24x7 Help

 

Tools Needed for this fix:

 

Guide Updates:

07/16/13 - Initial guide creation

 


Automated Removal Instructions for Australian Communications and Media Authority (ACMA) Ransomware using HitmanPro.Kickstart:

 

  1. Please print out these instructions as we will need to perform most of these steps on the infected computer. You will also need a USB drive, which will have all of its data erased and will then be formatted. Therefore, only use a USB drive that does not contain any data that you need. This USB drive must also have a size of at least 32 MB.

  2. As the Australian Communications and Media Authority (ACMA) Ransomware infection locks you out of your computer, you will need to create a bootable USB drive that contains the HitmanPro.Kickstart program. We will then boot your computer using this bootable USB drive and use it to clean the infection so that you are able to access Windows normally again.

    In order to do this please download HitmanPro from the following link and save it to your Windows desktop.

    http://www.bleepingcomputer.com/download/hitmanpro/

    When you visit the above page, please download the version that corresponds to the bit-type of the Windows version you will be using to create the Kickstart USB drive.

  3. Once HitmanPro has been downloaded, please insert the USB key that you would like to erase and use for the installation of HitmanPro.Kickstart.

  4. Once the USB drive is attached to your computer, double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.


    HitmanPro Start Screen


    Now click on the little picture of the person performing a kick as indicated by the red arrow above.

  5. This will open a screen where you will see some information on how to create the Kickstart USB drive.



    HitmanPro.Kickstart creation screen


    You should also a see a list of all USB drives that are currently attached to your computer as indicated by the blue arrow in the picture above. Select the USB drive that you would like to use and then click on the Install Kickstart button. Please note that this process will erase all of the data on the selected USB drive, so be sure to first backup any data that may be stored on it.

  6. You will now be presented with an alert stating that the USB flash drive will be erased. If you wish to proceed, click on the Yes button. Otherwise, click on the No button to cancel this process. Once you click on the Yes button, the program will begin to download the necessary files and will then install them on the USB Drive. When it has finished you can then click on the Close button to close the HitmanPro program.

  7. Now remove the Kickstart USB drive and insert it into the infected computer.

  8. Once it is inserted, turn off the infected computer and then turn it on. As soon as you power it on, look for text on the screen that tells you how to access the boot menu. This text will typically contain a key that they want you to press on your keyboard in order select the device you wish to use to boot your computer. The keys that are commonly associated with enabling the boot menu are F8, F11 or F12. You can see a screen shot of various screens that show you what key to press below.



    Various boot menu screens
    Screenshot courtesy of SurfRite.


    Once you determine the proper key that you need to press to access the Boot Menu, restart your computer again and start immediately tapping that key. Once the boot menu appears, you can select the device you wish to boot your computer from. Please select the USB drive that you have installed HitmanPro.Kickstart on and that is inserted into the infected computer.

  9. Your computer will now boot from the USB drive and automatically load the HitmanPro.Kickstart program. As it loads you will be presented with a screen asking you to select the USB boot options you wish to use.



    Kickstart USB Boot Options


    At this screen, please press 1 on your keyboard and you will see that Windows begins to start normally.

  10. When Windows starts, you should login as normal and you will once again see the screen locker for the ransomware. After about 15-20 seconds, the HitmanPro window will appear on top of the screen locker as shown in the image below.



    HitmanPro Kickstart overlayed on top of the ransomware screen


    When you see this screen, please click on the Next button to start the cleaning process.

  11. You will now be at the HitmanPro setup screen where you should make sure the option No, I only want to perform a one-time scan to check this computer..



    Kickstart Setup Options


    Once it is selected, please click on the Next button.

  12. HitmanPro will now begin to scan your computer for infections. When it has finished it will display a list of all the malware that the program found as shown in the image below. Please note that the infections found may be different than what is shown in the image.


    MalwareBytes Scan Results


    You should now click on the Next button to have HitmanPro remove the detected infections. When it is done you will be shown a Removal Results screen that shows the status of the various infections that were removed. At this screen you should click on the Next button and then on the next screen click on the Reboot button.

  13. HitmanPro will now reboot your computer and Windows should start normally. Once it has started, you should login as normal and you will find that the ransomware is no longer active and you can now access your Windows desktop.

  14. As many malware and unwanted programs are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Australian Communications and Media Authority Ransomware infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the licensed version of HitmanPro to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 


 

Associated Australian Communications and Media Authority (ACMA) Ransomware Files:

%AppData%\cache.dat

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

 

Associated Australian Communications and Media Authority (ACMA) Ransomware Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "shell" = "explorer.exe,%AppData%\cache.dat"

 


 

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.


Advertise   |   About Us   |   User Agreement   |   Privacy Policy   |   Contact Us   |   Sitemap   |   Chat   |   Tutorials   |   Uninstall List
Tech Support Forums   |   The Computer Glossary   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides   |   Downloads


© 2003-2014 All Rights Reserved Bleeping Computer LLC.