The FBI MonkeyPak Ransomware is a computer infection that locks you out of your computer and your applications until you pay a ransom of $100 in the form of a MoneyPak. This infection is typically installed onto a computer when the user visits a hacked web site that contains malicious scripts that exploit vulnerabilities on the computer to install the FBI Ransomware without their knowledge or permission. It is for these reasons that it is imperative that all computer users make sure their installed programs, including Windows, are up-to-date with the latest patches. Later in this guide we will outline a method that can be used to make sure your programs are all updated and safe.
FBI MoneyPak Ransomware alert
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.
Once installed, the FBI Ransomware will be configured to start automatically when you login to Windows. Once started, it displays a large alert that pretends to be from the FBI and states that your computer has been blocked due to it being involved with the distribution of pornographic material, SPAM, or copyrighted content. In order to access your Windows desktop and your applications you must first pay a fine of $100 in the form of a MoneyPak. Once the malware developers receive the ransom they will then unlock your computer within 1 to 48 hours. To make the alert seem more authentic, the malware also has the ability to access your installed webcam so that the alert shows what is happening in the room.
The text of this ransom note is:
Federal Bureau of Investigation
Location: Your Country Here
IPS: Your ISP Here
Your PC is blocked due to at least one of the reasons specified below.
You have been violation Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 8, Clause 8, also known as the Copyright of the Criminal Code of United States of America.
Article I, Section 8, Clause 8 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.
You have been viewing or distributing prohibited Pornographic content (Child Porno, Zoofilia and etc). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for four to nine years.
Pursuant to the amendment to the Criminal Code of United States of America of May 28, 2011, this law infringement (if it is not repeated - first time) may be considered as conditional in case you pay the fine to the State.
Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!
To unblock the computer, you must pay the fine through MoneyPak of 100$.
Once again, this alert is a scam and should be ignored.
As you can imagine, this alert and anything it states is just a scam to try and scare you into paying the ransom so that you can regain the proper functionality of your computer. Thankfully, it is not necessary to pay the ransom as we have described a method below that can be used to remove this malware from your computer.
View FBI MoneyPak Ransomware files.
Tools Needed for this fix:
Symptoms that may be in a HijackThis Log:
O4 - Global Startup: ctfmon.lnk = C:\Windows\System32\rundll32.exe %Temp%\<random>.exe,F10
07/05/12 - Initial guide creation
Automated Removal Instructions for FBI MoneyPak Ransomware using the Emsisoft Emergency Kit:
- Print out these instructions as we will need to reboot your computer into Safe mode with Networking and you may not have access to your web browser for part of this process.
- As this infection makes it so you are unable to launch any application or access your Windows desktop, we first need to reboot your computer into Safe Mode with Networking. To
do this, turn your computer off and then back on and when you
see anything on the screen, immediately start tapping the F8 key on your
keyboard. Eventually you will be brought to a menu similar to the one below:
Using the arrow keys on your keyboard, select Safe Mode with Networking
and press Enter on your keyboard. If you are having trouble
entering safe mode, then please use the following tutorial: How
to start Windows in Safe Mode
Windows will now boot into safe mode with networking and prompt you to login
as a user.
- Please login as the user that is infected with
FBI MoneyPak Ransomware.
- When your Windows desktop appears, start Internet Explorer or other web browser, and download and save the Emsisoft Emergency Kit to your desktop from the link below:
Please note that this is a large downloaded, so please be patient while it downloads.
- Once the file has been downloaded, right click on the EmsisoftEmergencyKit.zip and select the Extract menu option. This will start the Windows compressed file extraction wizard. Follow the steps to extract the file and the Emergency Kit will be extracted to a folder called EmsisoftEmergencyKit on your desktop. Please double-click on the EmsisoftEmergencyKit folder to open it.
- When the folder is open, double-click on the Start.exe button to launch the Emsisoft Emergency Kit. You will now be presented with a screen similar to the following:
Please click on the Emergency Kit Scanner option. When you click on this option, if you see a Windows message asking if you would like EmergencyScanner.bat to run, please allow it to do so by clicking on the Run or Yes buttons.
- You will now be shown an update screen prompting you to check for an update.
Please click on the Yes button to check for any available updates. The Emergency Kit will now download and apply any available updates. When it is done, click on the Back to Security Status link.
- You will now be at the main screen for the Emsisoft Emergency Kit as shown below.
Now click on the Scan PC option in the left hand navigation menu.
- You will now be at the Scan PC screen as shown below.
Select the Deep Scan option if it is not selected and then click on the Scan button to start scanning your computer.
- When the Emsisoft Emergency Kit is finished scanning your computer, you may be presented with an alert box stating that you have a high-risk infection. If you see this alert, please click on the Close button and you should now be at the scan results screen as shown in the image below.
Click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You can now close the Emsisoft Emergency Kit program.
- Please reboot your computer into the normal Windows mode and when you are back at your normal Windows desktop please continue with the next step.
- As this infection is known to exploit vulnerabilities in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here:
detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the
infection. If your current anti-virus solution let this infection through,
you may want to consider purchasing the
full version of Emsisoft Anti-malware to protect your computer against these types
of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Associated FBI MoneyPak Ransomware Files:
File Location Notes:
%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.
%StartupFolder% refers to the Startup folder in the Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\programs\Startup, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\Programs\Startup, and for Windows Vista, Windows 7, and Windows 8 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.