Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Arestocrat (Department of Justice) Virus – Unlock Your PC

Article created to help you remove the Arestocrat lockscreen Department of Justice ransomware infection and unlock your infected computer.

A ransomware virus, detected as Ransom.Arestocrat detected first In 2013 has still proven to be active and lock the screens on the computers infected by it. The infection downloads malicious files and modifies settings on the infected computer so that it is possible to cause the screen to freeze. The Arestocrat virus then displays a false message that It is the Department of Justice and accuses the user of illegal activity. However, fact is that all departments of the government do not operate this way and if you have seen the locked screen from Arestocrat, we strongly suggest to read the following material thoroughly.

Threat Summary

Name
Type Ransomware (Lockscreen)
Short Description Locks the computer, displaying a fake government message from DOJ.
Symptoms A message from the Department of Justice is displayed with ransom demands.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by

Download

Malware Removal Tool

User Experience Join our forum to Discuss Flimrans Ransomware.

Arestocrat Virus – How Does It Infect

To spread online, the hackers behind this lockscreen type of virus may take advantage of multiple different tools and kits. The most often used of those are:

  • Exploit kits.
  • File joiners that combine malicious code with legitimate executables.
  • Spamming bots or services.
  • A pre-created list of fake e-mail addresses with good quality.
  • A list with e-mail addresses to spam.
  • Hacked online accounts.
  • Shady domains and servers for command and control.

The usage of these tools may result in the spamming of malicious files as well as web links that contain the Arestocrat infection. These may be accompanied by an e-mail message with a very convincing statement, whose only aim is to get the user to either click on the malicious web link or open the attachment. Example images of such spam e-mails can be seen below:


Besides using new methods to infect users, the cyber-criminals also use new deceitful tricks, such as use the name of the user of the e-mail account in the e-mail’s text, for further trust and convincing.

In addition to spammed e-mails, the above-mentioned tools may also be used to spread the Arestocrat virus in multiple other ways, such as:

  • Via fake updates of Adobe or Windows posted on shady sites or downloaded via unwanted software.
  • Through fake program licensing patches or key generators uploaded from hacked online accounts on torrent websites.
  • Via game cracks, patches or Self-Extracting archives. (SFX)

Arestocrat Virus – Further Information

As soon as the user opens the infection file or web link, a malicious code may be executed. This code connects to a distribution host and via an unsecured web port downloads the payload of Arestocrat lockscreen. After the payload has been downloaded on the infected computer, it may be situated on the following locations:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%

As soon as this malware has been situated, it may begin to heavily modify the Windows Registry Editor. The following Windows Registry sub-keys may be targeted for modification:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Templates
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonAppData
HKLM\System\CurrentcontrolSet\Hardware Profiles\0001\Software\Microst\windows\CurrentVersion\Internet Settings\ProxyEnable
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
HKCU\Software\Microsoft\Windows\Run\qcgce2mrvjq91kk1e7pnbb19m52fx
HKCU\Software\Microsoft\Command Processor\AutoRun
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCR\CLSID\{random alpha numerical key}\InProcServer32\ThreadingModel
HKCR\CLSID\{random alpha numerical key}\InProcServer32\TheadingModel\(Default)
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

After this modification has been performed the lockscreen virus may cause a force reset on the computer of the user after which the Arestocrat Lockscreen may appear:

From there, the user may be demanded to pay a “fee” to get access back to his computer. Such type of police ransomware viruses are nothing new and fortunately they do not encrypt files, meaning they can be removed.

Remove Arestocrat Lockscreen Ransom Completely

For the removal process of this ransomware, we strongly suggest you to follow the removal instructions below. They are carefully designed to help you bypass the lockscreen by booting your computer into safe mode, after which perform the removal either manually or automatically. For maximum effectiveness, we recommend to remove malicious objects automatically by following the removal instructions below and downloading an advanced anti-malware program. Such will remove the files from your computer and revert all the settings back to normal by removing the malicious objects controlling them and in the meantime protect your computer against future ransomware infections.

Manually delete from your computer

Note! Substantial notification about the threat: Manual removal of requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove files and objects
2.Find malicious files created by on your PC
3.Fix registry entries created by on your PC

Automatically remove by downloading an advanced anti-malware program

1. Remove with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by in the future
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.