Remove Homeland Security Ransomware and Unlock Your Screen - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Homeland Security Ransomware and Unlock Your Screen

A new type of Lockscreen Trojan that belongs to the Police variants has been discovered out in the wild. The malware arrives directly from foreign hosts, creates multiple files and registry objects. After this it restricts the user access to his PC, displaying a ransom message which imitates Homeland Security message stating the user has committed a crime. Everyone who has been affected by this malware is strongly advised to follow the step-by-step manual after this article to get rid of it as fast as possible.

NameHomeland Security Ransomware
TypeLockscreen Trojan
Short DescriptionThe trojan locks the computer of the user and claims to be Police malware convicting the user of crimes.
SymptomsThe user may be restricted to access his computer.
Distribution MethodVia other malware or malicious URLs.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Homeland Security Ransomware
User Experience Join our forum to discuss Homeland Security Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

homeland-security-trojan-sensorstechforum

Homeland Security Ransomware – Distribution

To be distributed throughout the web, this malware is strongly believed to be featured in malicious URLs concealed by TOR networking. Researchers from Symantec report the following hosts to be the download URLs of the malware on the victim computers.

  • http://myfiles(.)pro/uploads/127585935
  • http://77.222.153.252:88/tor

Such web links may issue the so-called drive-by download which installs the payload of the malware without the user’s consent and knowledge.

Malicious URLs like the ones above are being spread via several methods online:

  • Via spam in social media.
  • Via other malware.
  • Via spammed URLs in email messages that redirect to them.

Homeland Security Ransomware In Detail

The trojan’s payload consists only of one file in the Windir\Tasks\Microsoft directory –
Microsoft auto update.job.

The Trojan also makes registry entries to allow it to run on Windows Startup as well as perform other unauthorized tasks:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\D9065B55F1FF613ECCA839F70A14A3C40EDD7303\”Blob” = [file with random characters] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”HideFastUserSwitching” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableChangePassword” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableLockWorkstation” = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\SRService\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\AppMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\CryptSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\DcomLaunch\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\EventLog\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\HelpSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\Netlogon\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\PlugPlay\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\RpcSs\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\WinMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\dmadmin\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\dmserver\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\AFD\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\AppMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Browser\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\CryptSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\DcomLaunch\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Dhcp\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\DnsCache\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\EventLog\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\HelpSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LanmanServer\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LanmanWorkstation\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LmHosts\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Messenger\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Ndisuio\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetBIOS\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetBT\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetMan\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Netlogon\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NtLmSsp\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\PlugPlay\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\RpcSs\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\SRService\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\SharedAccess\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Tcpip\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\WZCSVC\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\WinMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\dmadmin\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\dmserver\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\rdsessmgr\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\termservice\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\”AlternateShell” = “cmd.exe”
Souce: Symantec Security Response

After creating the malicious registry entries, the Trojan may begin to connect to a remote location.
Finally, the ransomware changes the user’s screen to something that appears to be a locked screensaver. It has the logo of Homeland Security and a message convicting the victim of pornographic crimes.

Remove Homeland Security Ransomware and Unlock Your Screen

To get rid of this malware, it is strongly advisable to use the instructions that are provided below. They are methodologically arranged for maximum effectiveness when attempting to remove this malware.

1. Boot Your PC In Safe Mode to isolate and remove Homeland Security Ransomware
2. Remove Homeland Security Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by Homeland Security Ransomware in the future
NOTE! Substantial notification about the Homeland Security Ransomware threat: Manual removal of Homeland Security Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.