Remove Homeland Security Ransomware and Unlock Your Screen - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove Homeland Security Ransomware and Unlock Your Screen

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Homeland Security Ransomware and other threats.
Threats such as Homeland Security Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

A new type of Lockscreen Trojan that belongs to the Police variants has been discovered out in the wild. The malware arrives directly from foreign hosts, creates multiple files and registry objects. After this it restricts the user access to his PC, displaying a ransom message which imitates Homeland Security message stating the user has committed a crime. Everyone who has been affected by this malware is strongly advised to follow the step-by-step manual after this article to get rid of it as fast as possible.

NameHomeland Security Ransomware
TypeLockscreen Trojan
Short DescriptionThe trojan locks the computer of the user and claims to be Police malware convicting the user of crimes.
SymptomsThe user may be restricted to access his computer.
Distribution MethodVia other malware or malicious URLs.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Homeland Security Ransomware
User Experience Join our forum to discuss Homeland Security Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

homeland-security-trojan-sensorstechforum

Homeland Security Ransomware – Distribution

To be distributed throughout the web, this malware is strongly believed to be featured in malicious URLs concealed by TOR networking. Researchers from Symantec report the following hosts to be the download URLs of the malware on the victim computers.

  • http://myfiles(.)pro/uploads/127585935
  • http://77.222.153.252:88/tor

Such web links may issue the so-called drive-by download which installs the payload of the malware without the user’s consent and knowledge.

Malicious URLs like the ones above are being spread via several methods online:

  • Via spam in social media.
  • Via other malware.
  • Via spammed URLs in email messages that redirect to them.

Homeland Security Ransomware In Detail

The trojan’s payload consists only of one file in the Windir\Tasks\Microsoft directory –
Microsoft auto update.job.

The Trojan also makes registry entries to allow it to run on Windows Startup as well as perform other unauthorized tasks:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”SD” = “%SystemDrive%\[file with random characters]”
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\D9065B55F1FF613ECCA839F70A14A3C40EDD7303\”Blob” = [file with random characters] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”HideFastUserSwitching” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableChangePassword” = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableLockWorkstation” = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\SRService\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\AppMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\CryptSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\DcomLaunch\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\EventLog\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\HelpSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\Netlogon\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\PlugPlay\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\RpcSs\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\WinMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\dmadmin\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Minimal\dmserver\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\AFD\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\AppMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Browser\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\CryptSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\DcomLaunch\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Dhcp\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\DnsCache\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\EventLog\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\HelpSvc\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LanmanServer\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LanmanWorkstation\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\LmHosts\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Messenger\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Ndisuio\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetBIOS\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetBT\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NetMan\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Netlogon\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\NtLmSsp\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\PlugPlay\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\RpcSs\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\SRService\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\SharedAccess\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\Tcpip\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\WZCSVC\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\WinMgmt\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\dmadmin\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\dmserver\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\rdsessmgr\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\Network\termservice\”(Default)” = “Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootCP\”AlternateShell” = “cmd.exe”
Souce: Symantec Security Response

After creating the malicious registry entries, the Trojan may begin to connect to a remote location.
Finally, the ransomware changes the user’s screen to something that appears to be a locked screensaver. It has the logo of Homeland Security and a message convicting the victim of pornographic crimes.

Remove Homeland Security Ransomware and Unlock Your Screen

To get rid of this malware, it is strongly advisable to use the instructions that are provided below. They are methodologically arranged for maximum effectiveness when attempting to remove this malware.

1. Boot Your PC In Safe Mode to isolate and remove Homeland Security Ransomware
2. Remove Homeland Security Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by Homeland Security Ransomware in the future
NOTE! Substantial notification about the Homeland Security Ransomware threat: Manual removal of Homeland Security Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...