Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Homeland Security Ransomware and Unlock Your Screen

A new type of Lockscreen Trojan that belongs to the Police variants has been discovered out in the wild. The malware arrives directly from foreign hosts, creates multiple files and registry objects. After this it restricts the user access to his PC, displaying a ransom message which imitates Homeland Security message stating the user has committed a crime. Everyone who has been affected by this malware is strongly advised to follow the step-by-step manual after this article to get rid of it as fast as possible.

Name Homeland Security Ransomware
Type Lockscreen Trojan
Short Description The trojan locks the computer of the user and claims to be Police malware convicting the user of crimes.
Symptoms The user may be restricted to access his computer.
Distribution Method Via other malware or malicious URLs.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Homeland Security Ransomware
User Experience Join our forum to discuss Homeland Security Ransomware.

homeland-security-trojan-sensorstechforum

Homeland Security Ransomware – Distribution

To be distributed throughout the web, this malware is strongly believed to be featured in malicious URLs concealed by TOR networking. Researchers from Symantec report the following hosts to be the download URLs of the malware on the victim computers.

  • http://myfiles(.)pro/uploads/127585935
  • http://77.222.153.252:88/tor

Such web links may issue the so-called drive-by download which installs the payload of the malware without the user’s consent and knowledge.

Malicious URLs like the ones above are being spread via several methods online:

  • Via spam in social media.
  • Via other malware.
  • Via spammed URLs in email messages that redirect to them.

Homeland Security Ransomware In Detail

The trojan’s payload consists only of one file in the Windir\Tasks\Microsoft directory –
Microsoft auto update.job.

The Trojan also makes registry entries to allow it to run on Windows Startup as well as perform other unauthorized tasks:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\D9065B55F1FF613ECCA839F70A14A3C40EDD7303\”Blob” = [file with random characters] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”HideFastUserSwitching” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableChangePassword” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableLockWorkstation” = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\SRService\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\AppMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\CryptSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\DcomLaunch\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\EventLog\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\HelpSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\Netlogon\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\PlugPlay\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\RpcSs\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\WinMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\dmadmin\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\dmserver\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\AFD\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\AppMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Browser\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\CryptSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\DcomLaunch\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Dhcp\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\DnsCache\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\EventLog\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\HelpSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LanmanServer\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LanmanWorkstation\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LmHosts\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Messenger\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Ndisuio\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetBIOS\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetBT\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetMan\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Netlogon\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NtLmSsp\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\PlugPlay\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\RpcSs\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\SRService\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\SharedAccess\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Tcpip\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\WZCSVC\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\WinMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\dmadmin\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\dmserver\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\rdsessmgr\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\termservice\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\”AlternateShell” = “cmd.exe”
Souce: Symantec Security Response

After creating the malicious registry entries, the Trojan may begin to connect to a remote location.
Finally, the ransomware changes the user’s screen to something that appears to be a locked screensaver. It has the logo of Homeland Security and a message convicting the victim of pornographic crimes.

Remove Homeland Security Ransomware and Unlock Your Screen

To get rid of this malware, it is strongly advisable to use the instructions that are provided below. They are methodologically arranged for maximum effectiveness when attempting to remove this malware.

1. Boot Your PC In Safe Mode to isolate and remove Homeland Security Ransomware
2. Remove Homeland Security Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by Homeland Security Ransomware in the future
NOTE! Substantial notification about the Homeland Security Ransomware threat: Manual removal of Homeland Security Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.