United Kingdom Police Ransomware Removal Guide

  • September 26, 2013

The United Kingdom Police Ransomware is a computer infection targeted at people who live in the United Kingdom and does not allow you to access your Windows desktop, applications, or files until you pay a ransom. This infection pretends to be a lock placed on your computer by the United Kingdom Police, Police Central e-crime Unite, and the Metropolitan police due to child pornography being found on your computer. In order to gain access to your computer again it states that you must first pay a fine in the amount of £100 using a Ukash or PaySafeCard payment. As this is a computer infection and not a legitimate message, please ignore any warnings or information it may display.

This infection is typically installed onto a computer when the user visits a hacked web site that contains malicious scripts that exploit vulnerabilities on the visiting computer. It is for these reasons that it is imperative that all computer users make sure their installed programs, including Windows, are up-to-date with the latest patches. Later in this guide we will outline a method that can be used to make sure your programs are all updated and safe.

  • United Kingdom Police Ransomware screen shot

Once installed, the United Kingdom Police Ransomware will be configured to start automatically when you login to Windows. Once started, it displays a large alert that pretends to be from a government agency, which states that your computer has been blocked due to it being involved with the distribution of pornographic material, SPAM, or copyrighted content. To make the alert seem more authentic, the malware also has the ability to access your installed webcam so that the alert shows a picture of the person sitting in front of the computer.

The text of this ransom note is:

United Kingdom Police
Police Central e-crime Unit
PCeU & Metropolitan Police

Cheshire Police Authority

ATTENTION!

IP: xxx.xxx.xxx.xxx
Location: <Your Country>
IPS: <Your ISP>

Your PC is blocked due to at least one of the reasons specified below.

You have been violation Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal Code of Great Britain.

Article 128 of the Criminal Code provides for a fine of 200 to 500 minimal wages or a deprivation of liberty for 2 to 8 years.

You have been viewing or distributing prohibited Pornographic content (Child Porno, Zoofilia and etc). Thus violating article 202 of the Criminal Code of Great Britain. Article 202 of the Criminal Code provides for a deprivation of liberty for 4 to 12 years.

Illegal access has been initiated from your PC, or you have been ... .

Article 208 of Criminal Code provides for a fine of up to £100,000 and/or deprivation or liberty for 4 to 9 years.

Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of £2,000 to £8,000.

Spam distribution or other unlawful advertising has been effected from your PC as a profit-seeking activity or without your knowledge, your PC may be infected with malware.

Article 212 of the Criminal Code provides for a fine of up to £250,000 and a deprivation of liberty of up to six years. In case this activity has been effected without your knowledge, you fall under the above mentioned article 210 of the Criminal Code of Great Britain.

Your personality and address are currently being identified, a criminal case is going to be initiated against you under one or more articles specified above within the next 72 hours.

Pursuant to the amendment to the Criminal Code of Great Britain of May 28, 2012, this law infringement (if it is not repeated - first time) may be considered as conditional in case you pay the fine to the State.

Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours.

The amount of fine is £100. You can pay a fine Ukash or PaySafeCard.

When you pay the fine, your PC will be unlocked in 1 to 72 hours after the money is put into the State's account.

As this alert is a scam, please ignore it and continue with the removal guide below.

As you can see, this alert is not a legitimate alert from a UK agency, but rather a scam trying to scare you into paying the ransom. Thankfully, it is not necessary to pay the ransom and instead you should use the removal guide below to remove this malware from your computer.

United Kingdom Police Ransomware Removal Options

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
  1. Please print out these instructions as we will need to perform most of these steps on the infected computer. You will also need a USB drive, which will have all of its data erased and will then be formatted. Therefore, only use a USB drive that does not contain any data that you need. This USB drive must also have a size of at least 32 MB.

  2. As the United Kingdom Police Ransomware infection locks you out of your computer, you will need to create a bootable USB drive that contains the HitmanPro.Kickstart program. We will then boot your computer using this bootable USB drive and use it to clean the infection so that you are able to access Windows normally again.

    In order to do this please download HitmanPro from the following link and save it to your Windows desktop.

    https://www.bleepingcomputer.com/download/hitmanpro/

    When you visit the above page, please download the version that corresponds to the bit-type of the Windows version you will be using to create the Kickstart USB drive.

  3. Once HitmanPro has been downloaded, please insert the USB key that you would like to erase and use for the installation of HitmanPro.Kickstart.

  4. Once the USB drive is attached to your computer, double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.


    HitmanPro Start Screen


    Now click on the little picture of the person performing a kick as indicated by the red arrow above.

  5. This will open a screen where you will see some information on how to create the Kickstart USB drive.



    HitmanPro.Kickstart creation screen


    You should also a see a list of all USB drives that are currently attached to your computer as indicated by the blue arrow in the picture above. Select the USB drive that you would like to use and then click on the Install Kickstart button. Please note that this process will erase all of the data on the selected USB drive, so be sure to first backup any data that may be stored on it.

  6. You will now be presented with an alert stating that the USB flash drive will be erased. If you wish to proceed, click on the Yes button. Otherwise, click on the No button to cancel this process. Once you click on the Yes button, the program will begin to download the necessary files and will then install them on the USB Drive. When it has finished you can then click on the Close button to close the HitmanPro program.

  7. Now remove the Kickstart USB drive and insert it into the infected computer.

  8. Once it is inserted, turn off the infected computer and then turn it on. As soon as you power it on, look for text on the screen that tells you how to access the boot menu. This text will typically contain a key that they want you to press on your keyboard in order select the device you wish to use to boot your computer. The keys that are commonly associated with enabling the boot menu are F8, F11 or F12. You can see a screen shot of various screens that show you what key to press below.



    Various boot menu screens
    Screenshot courtesy of SurfRite.


    Once you determine the proper key that you need to press to access the Boot Menu, restart your computer again and start immediately tapping that key. Once the boot menu appears, you can select the device you wish to boot your computer from. Please select the USB drive that you have installed HitmanPro.Kickstart on and that is inserted into the infected computer.

  9. Your computer will now boot from the USB drive and automatically load the HitmanPro.Kickstart program. As it loads you will be presented with a screen asking you to select the USB boot options you wish to use.



    Kickstart USB Boot Options


    At this screen, please press 1 on your keyboard and you will see that Windows begins to start normally.

  10. When Windows starts, you should login as normal and you will once again see the screen locker for the ransomware. After about 15-20 seconds, the HitmanPro window will appear on top of the screen locker as shown in the image below.



    HitmanPro Kickstart overlayed on top of the ransomware screen


    When you see this screen, please click on the Next button to start the cleaning process.

  11. You will now be at the HitmanPro setup screen where you should make sure the option No, I only want to perform a one-time scan to check this computer..



    Kickstart Setup Options


    Once it is selected, please click on the Next button.

  12. HitmanPro will now begin to scan your computer for infections. When it has finished it will display a list of all the malware that the program found as shown in the image below. Please note that the infections found may be different than what is shown in the image.


    MalwareBytes Scan Results


    You should now click on the Next button to have HitmanPro remove the detected infections. When it is done you will be shown a Removal Results screen that shows the status of the various infections that were removed. At this screen you should click on the Next button and then on the next screen click on the Reboot button.

  13. HitmanPro will now reboot your computer and Windows should start normally. Once it has started, you should login as normal and you will find that the ransomware is no longer active and you can now access your Windows desktop.

  14. As many malware and unwanted programs are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the United Kingdom Police Ransomware infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the licensed version of HitmanPro to protect against these types of threats in the future.

View Associated United Kingdom Police Ransomware Files

C:\ProgramData\<random>.plz C:\ProgramData\<random>.ctrl C:\ProgramData\<random>.pff

View Associated United Kingdom Police Ransomware Registry Information

HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters\ServiceDll = "C:\PROGRA~2\6j108owj.plz"

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

Login

Remember Me
Sign in anonymously