Metropolitan Police malware warning issued - beware the ransomware attack!

Filed Under: Law & order, Malware, Ransomware

Scotland YardComputerWorld today reports that the UK's Metropolitan Police has warned Windows users of a malware attack that poses as a message from the computer crime-fighting cops themselves.

The ransomware attack attempts to lock the computer, and posing as an unofficial notice from a law enforcement agency, claims that the victim's PC has been determined to have visited illegal websites.

Only payment for a fine, claims the message, will restore the computer's functionality.

Various versions of the alert messages have been seen - here's one example:

Ransomware message. Click for larger version

Part of the poorly-worded alert reads as follows:

Attention!!!

The process of illegal activity is deleted. According to UK law and Metropolitan Police Service and Strathclyde Police investigation your computer is locked!

The following violation is detected: You IP-address "[redacted]". Forbidden websites containing pornography, child pornography, Sodomy and called violence against children on, violent material toward people were visited from this IP-address!

Moreover and e-mail spam was sent you're your computer, emails containing terroristic materials. This locking serves to stop your illegal activity.

To release a lock your computer you should pay the fine in amount of £100. In the case of ignoring the payment, the program will remove illegal materials while keeping your personal information is not guaranteed.

Of course, it's very likely that you haven't been visiting extremist websites or viewing child abuse material. That may just be the hook used by the fraudsters to trick you into taking the warning seriously.

Ransomware is nothing new. We've seen plenty of examples in the past where cybercriminals have duped users into coughing up cash in order to get their computer working properly again.

But the threat of legal action, and what - on first glance - might appear to some computer users to be a sign that they are in trouble with the police, could be enough to scare some into electronically transferring funds post haste.

The police recommend that anyone who is duped by the scam should contact their credit card company immediately, and underline that they would never use such tactics to make contact with the public or demand funds.

It's likely that the messages are appearing on computer users' screens because they have become infected whilst visiting compromised websites, or have been duped into installing malicious software onto their computer.

Sophos has linked Mal/Bredo-Q to some of the reports we have seen of this particular ransomware attack, but of course it's perfectly possible that malicious hackers could use other malware to display the same or similar messages posing as police warnings.

As always, keep your security patches and anti-virus solutions updated, and your wits about you.

, , , , ,

You might like

25 Responses to Metropolitan Police malware warning issued - beware the ransomware attack!

  1. Marco · 952 days ago

    Gosh they will try anything to get money !!

  2. Chris · 952 days ago

    Link to larger image is not working!

  3. Gobjob · 952 days ago

    LOL at the alert message - the english as she is spoke !!

  4. Dan · 952 days ago

    Anyone who can fall for a scam like that is pretty gullible. This is especially the case when it goes beyond obviously false claims and manages to be poorly worded as well.

    • Unfortunately the majority of people who have malware running on their systems are very gullible, which is why ransomware and malware such as Koobface and fake keygens are so widespread.

  5. This malware has been running in Germany very successfully for the last 2 - 3 years, I've had users actually pay 3 times to try and get rid of the virus, not realising it was a virus. The German version is word-perfect, if you had never seen this virus before you would be convinced big-brother was watching you and unless you entered the coupon code you would be hauled into prison by guys coming down ropes from a helicopter. I say running successfully because of the amount it requests, 100 Euro every time. Someone is retiring on this very successfully!

  6. Greg W · 952 days ago

    If you areblessed with a modicum of common sense this is a very obvious pfishing attempt to try to scare you into ponying up

  7. Timothy · 943 days ago

    Some useful info about how to clean the PC after this infection would be useful!

    I just tried to clean it off one our users' laptops by removing the HDD and connecting via a USB<->Sata box to a PC with Sophos, and from there doing a Sophos scan. Sophos did pick up a few things, but the main "Metropolitan Police" virus is still there.

    So it's Virus 1, Sophos 0 so far... :(

    I'm going to try Kaspersky now....

  8. Timothy · 942 days ago

    Some useful info about how to clean the PC after this infection would be useful!

  9. Ian · 917 days ago

    here's how I got rid of it / managed to take control of my pc

    1 - Turn off your system & Turn off your router - do not go online.
    2 - turn on your pc but not the router
    3 - after booting you may see messages saying a file cannot be opened / or tabs at the bottom of screen saying web page can not be opened. Close/clear these off the screen
    4 turn your router back on and you should be able to get into google / ie explorer after it connects - from there you should be able to get advice or download some form of malware removal software

    Hope this helps, - think about it - if your offline even though iexplorer has been hijacked it cannot display an online page.

    This worked for me

  10. Simon · 912 days ago

    Just had this done to me...and I'm fairly bad with computers and fixing them, but this seems to have worked as the guy says above...it flashed up and looked dodgy so immediately turned my computer off by the mains...after a few minutes turned it on again but it popped back up and denied me internet access...turned off by the mains again, then on after a few minutes...ran a system restore to a previous date, then a system diagnostic to look for harmful files..which turned up nothing.
    Checked my Security settings before trying the web again, and my malware settings had been turned off! Surprise surprise! Seems to be working now, don't panic, hopefully my computer is fine now :-) Hope this helps, the bloody scum....

  11. mark · 902 days ago

    What are we paying Sophos for? This artical is nearly 2 months old and Sophos still does not offer any protectiion against the attack detailed above.
    Just asking company IT department same question.
    Just been caught 3rd April 2012. Last Sophos update 2nd April 2012.

    • There have been many different variants of this attack.

      If you encounter one that Sophos is not correctly identifying then please submit it to SophosLabs for analysis:
      http://www.sophos.com/support/samples/

      or contact our tech support team.

      Thanks!

      • Louis Wong · 811 days ago

        There is a new variant running around. This one even uses your webcam to show you on screen. does sophos have a fix?

  12. ringo · 729 days ago

    Started my pc up in safe mode, scanned with norton which found six trojan.maljava, removed these and switched pc on again but screen popped up again, went in to safe mode and done system restore which worked, scanned again and found nothing, seems to be working, anyone know if the virus is still there or will that be it, would like to know cos i'm no expert and use my pc for online banking, shopping etc

  13. shez · 702 days ago

    i m infected with the same virus (metropolitan-police-malware-warning)
    i have also deleted its exe fiel and run the AVG full scan it seems to me my computer is fix now but i am not sure that still i can use my computer for online banking and .....

    Please help me if any one know about it. will be a great help.

  14. budninja · 699 days ago

    quickest simplest way is to roll back your pc a few days before it got the virus

  15. c pritchard · 695 days ago

    i got the same from west yorkshire police i started computer in safe mode then system restore and restored to a couple of days before the attack and turned on my malware and firewall that had been turned off and all seems good again

  16. Johno · 599 days ago

    Easy way to get rid of it, Start up in safe mode , then run CC cleaner , go to tools startup items and delete it , restart computer, job done

  17. Ruth Jackson · 503 days ago

    My son as just had this now he's only 14 and it as come up on his screen with a picture of him that's been taken from his webcam he was in his dressing gown it says its from Cheshire police and he's been illegally downloading or been on child porn I'm most concerned that they have actually got into the laptop webcam and took a picture of him I don't knew what to do or how to get this off

    • Paul Ducklin · 503 days ago

      Have a look here:
      http://nakedsecurity.sophos.com/reveton

      That's a video showing this sort of malware, and how to remove it. In the video you will see a webcam video of me :-)

      If it's any comfort, the crooks *probably* (I can't say better than that) didn't capture the webcam video stream. This sort of malware usually just *displays* it to give you a fright and make you more likely to pay.

      I can't promise that the malware you had didn't steal the video data, but you can consider it unlikely. You still need to remove the malware though - the video above gives you some hints on what to do next.

  18. Justidk. · 192 days ago

    Yeah I have the same problem I got some kind of message from spain police that I need to pay 100€ Within 48hours or i will get arrest and when i try to close the window I doesn't allow me to.it says that my computer is blocked damn that scared me.

  19. Anonymous · 169 days ago

    I have found this virus on a mac. How do I remove it?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.